Log file management tramite syslog-ng Giacomo Lanzi

Log File Management with the Secure Online Desktop service

IT systems produce large quantities of log files, very useful tools for guaranteeing data security and application stability. However, in a complex ecosystem, the quantity of files and their location can become two insurmountable obstacles to overcome, in case it is necessary to consult the data efficiently. This is where log management systems come into play, which thanks to technologies such as Syslog-ng, are able to circumvent the problem. In the article, we see how a log file management solution can be a valuable investment.

What is a log file, what is it for

Any action that is performed on a machine or by it can be recorded in a log file. To understand what it is, let’s imagine that it is a ship’s logbook, in which every single event that happened on the boat is noted. In fact, the name derives from the nautical environment, in which the use of a logbook was common. This was nothing more than a diary in which navigation data were recorded at regular intervals: speed, wind strength and direction, water conditions and so on.

With the concept of recording useful information in a file that can be consulted later, the log file contains any changes, actions, states or modifications for security reasons. In case something goes wrong, it is easy to understand what happened by consulting a log file. This is especially true when we talk about servers and applications, data dissemination, IT security, etc.

Amount of log files

Some companies have up to a few dozen servers, others have hundreds, some thousands, and there are others that manage tens of thousands of servers. These systems produce a huge amount of data in the form of log files.

Complicating things is IT architecture. Very often machines are organized into subsystems, both for reasons of convenience and safety. In the unfortunate event that someone wants to consult the log files following an accident, we should despair. Which server holds the data we are interested in? Which subsystem is it in? These are not questions that can be answered simply, especially if you don’t know the source of the problem.

The management of the log files of a system (or Log Management) is essential in the collection of data, prevention and resolution of problems.

Secure Online Desktop Log Management

SOD offers a log management solution through Syslog-ng Premium Edition agents. These are in charge of the collection, transmission and storage of log files. Not only are they collected and centralized in a single virtual place, but the data are also normalized, ie “translated” into standardized formats so that they can be consulted and compared more easily.

Real-time normalization, reporting and classification

Thanks to normalization, it is possible to carry out cross-sectional full-text searches in a few seconds to all the log files collected. Complex operations are guaranteed by the possibility of using wildcards and Boolean operators. The analysis of the collected data is therefore very simplified, which allows the data to also be used to monitor the efficiency of the system, identify possible future problems and intervene before it is too late.

It is also possible to generate customized reports consisting of graphs and statistics with the aim of certifying compliance with standards and regulations such as PCI-DSS, ISO 27001, SOX and HIPAA.

One of the most interesting features of syslog-ng is the ability to automatically classify messages and sort them into classes. These can then be used to label the type of event described in the log. Examples of possible classes: user login, application crash, file transfer, etc.

Extraction and correlation of messages in log files

The classification of messages opens the door to a further functionality: the extraction and correlation of messages. Once each message contained in the log file has been normalized and classified according to your needs, it is possible to assign different tags, to add an additional filter level.

To give an example: once a user’s login messages have been collected, it is possible to label them as user_login, and then isolate them by extracting them and collecting them in a separate file to perform further processing on these messages.

Syslog-ng also makes it possible to correlate events in real time, to prevent data from a single event being scattered across multiple log files. For example, the access and exit data (log-in and log-out) are often recorded far from each other, even in different log files. Through correlation, the data of a single event can be collected and analyzed in isolation.

Automatic backup

The stored log messages and the configuration of the Log Management service can be periodically transferred to a remote server using the following protocols:

– Network File System protocol (NFS)
– Rsync over SSH
– Server Message Block protocol (SMB / CIFS)

Performance

The log file collection and management system with syslog-ng PE agents operates on over 50 platforms, including all Linux distributions and commercial versions of Unix and Windows. The service is able to manage huge quantities of messages, up to over 100,000 per second and over 70 GB of raw log files per hour, from 5000 different sources (servers, applications, etc.).

Ask us for more information about our Log Monitoring service to know specifically how it can be implemented in your systems and how it can help you.

[btnsx id=”2931″]

Useful links:

Log Management

Log Management features

New service | Log Management – High performance service for collecting logs

 

 

 

Share


RSS

More Articles…

Categories …

Tags

RSS Dark Reading

RSS Full Disclosure

  • Backdoor.Win32.Delf.eg / Unauthenticated Remote Command Execution October 3, 2022
    Posted by malvuln on Oct 03Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/de6220a8e8fcbbee9763fb10e0ca23d7.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Delf.eg Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 7401. Third-party adversarys who can reach infected systems can issue commands made available by the...
  • Backdoor.Win32.NTRC / Weak Hardcoded Credentials October 3, 2022
    Posted by malvuln on Oct 03Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/273fd3f33279cc9c0378a49cf63d7a06.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.NTRC Vulnerability: Weak Hardcoded Credentials Family: NTRC Type: PE32 MD5: 273fd3f33279cc9c0378a49cf63d7a06 Vuln ID: MVID-2022-0646 Disclosure: 10/02/2022 Description: The malware listens on TCP port 6767....
  • Wordpress plugin - WPvivid Backup - CVE-2022-2863. October 3, 2022
    Posted by Rodolfo Tavares via Fulldisclosure on Oct 03=====[ Tempest Security Intelligence - ADV-15/2022 ]========================== Wordpress plugin - WPvivid Backup - Version < 0.9.76 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ […]
  • ZKBioSecurity 3.0.5- Privilege Escalation to Admin (CVE-2022-36634) October 1, 2022
    Posted by Caio B on Sep 30#######################ADVISORY INFORMATION####################### Product: ZKSecurity BIO Vendor: ZKTeco Version Affected: 3.0.5.0_R CVE: CVE-2022-36634 Vulnerability: User privilege escalation #######################CREDIT####################### This vulnerability was discovered and researched by Caio Burgardt and Silton Santos. #######################INTRODUCTION####################### Based on the hybrid biometric technology and...
  • ZKBiosecurity - Authenticated SQL Injection resulting in RCE (CVE-2022-36635) October 1, 2022
    Posted by Caio B on Sep 30#######################ADVISORY INFORMATION####################### Product: ZKSecurity BIO Vendor: ZKTeco ( https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2) Version Affected: 4.1.2 CVE: CVE-2022-36635 Vulnerability: SQL Injection (with a plus: RCE) #######################CREDIT####################### This vulnerability was discovered and researched by Caio Burgardt and Silton Santos....
  • Backdoor.Win32.Augudor.b / Remote File Write Code Execution September 27, 2022
    Posted by malvuln on Sep 27Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/94ccd337cbdd4efbbcc0a6c888abb87d.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Augudor.b Vulnerability: Remote File Write Code Execution Description: The malware drops an empty file named "zy.exe" and listens on TCP port 810. Third-party adversaries who can reach the infected […]
  • Backdoor.Win32.Psychward.b / Weak Hardcoded Credentials September 27, 2022
    Posted by malvuln on Sep 27Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/0b8cf90ab9820cb3fcb7f1d1b45e4e57.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Psychward.b Vulnerability: Weak Hardcoded Credentials Description: The malware listens on TCP port 8888 and requires authentication. However, the password "4174" is weak and hardcoded in cleartext within the PE...
  • Backdoor.Win32.Bingle.b / Weak Hardcoded Credentials September 27, 2022
    Posted by malvuln on Sep 27Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/eacaa12336f50f1c395663fba92a4d32.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Bingle.b Vulnerability: Weak Hardcoded Credentials Description: The malware is packed using ASPack 2.11, listens on TCP port 22 and requires authentication. However, the password "let me in" is weak […]
  • SEC Consult SA-20220923-0 :: Multiple Memory Corruption Vulnerabilities in COVESA (Connected Vehicle Systems Alliance) DLT daemon September 27, 2022
    Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Sep 27SEC Consult Vulnerability Lab Security Advisory < 20220923-0 > ======================================================================= title: Multiple Memory Corruption Vulnerabilities product: COVESA DLT daemon (Diagnostic Log and Trace) Connected Vehicle Systems Alliance (COVESA), formerly GENIVI vulnerable version:
  • Backdoor.Win32.Hellza.120 / Authentication Bypass September 20, 2022
    Posted by malvuln on Sep 19Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/2cbd0fcf4d5fd5fb6c8014390efb0b21_B.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Hellza.120 Vulnerability: Authentication Bypass Description: The malware listens on TCP ports 12122, 21. Third-party adversarys who can reach infected systems can logon using any username/password combination....

Customers

Newsletter