Tuesday, June 30, 2009

Log Centralization, Analysis and Visualization

Although many of us have seen IT companies securing the logs in one centralized location but in one or two they lack visualization in time of incident handling or analysis process. This could raise a serious bar from legal and corporate image perspectives. SEIM (Security event information management) systems can help to resolve these issues but logging, correlation and visualizing from distributed networks has always been challanging.


As we can see that different souces interacting with muliple devices at specific levels to pass the network traffic. The ratio of such typical network to generate logs would be moderate-high. So, why is it log centralization is considered necessary? From my experience, it is because of easy accessibility, searchability, log categorization, identification, correlation and redundancy. While talking about securing architecture of log management, virtualization concepts put the step forward mostly in data centers and hosting farms. The typical architecture looks as below:

{Sources -> Generate Logs -> Virtualization (analyzing, disposing logs) -> Log Management (storing, analyzing logs)}

The typical challanges to this architecture involves balancing the quantity of log management resources, policies and procedures, continuous monitoring of log data, log categorization and access control. On the otherside when considering the visualization, DAVIX Live CD contains some of the useful tools and scripts which make it easier to process data and visualize them to track the incidents.

References:
http://davix.secviz.org
http://www.wallinfire.net/picviz
http://www.vizsec.org
http://www.splunk.com