Log Analysis

Would it be valuable for you to discover which users outside of a trusted user community had accessed a file server that stores highly sensitive information? What about knowing which systems might be affected by a zero day exploit and prioritize them based upon the asset value of the impacted hosts? How about being able to automatically be alerted when transactions in your financials application exceed a certain dollar amount? LogRhythm's comprehensive log analysis engine can pull this level of insight from millions or even hundreds of millions of logs in real time.

While some log entries can be extremely interesting and relevant to daily operations, many can also be extremely uninteresting, at least in the short term. Still, it is important to collect and manage all logs to ensure you don't miss anything and can find what you need when you need it. With manual or homegrown solutions, you would be searching for the proverbial needle in the haystack. With LogRhythm, search, forensic analysis, trending and alerting are simple. LogRhythm processes and normalizes logs to make it easy to identify and find anything. LogRhythm's intuitive and powerful analysis tools make any kind of analysis a breeze.

 

Automated Log Analysis

Log Normalization 

LogRhythm automates the process of finding interesting log entries via a powerful and customizable log identification engine. When a log is identified, it is "normalized" for analysis and reporting purposes. The log is assigned a "common name" and classified as either security, operations, or audit related. Additional reporting information is parsed from the text of the log such as IP addresses, UDP/TCP port numbers and logins.

An important aspect of log normalization is time synchronization. In many IT operations, systems are spread across time-zones and system clocks aren't synchronized to a single source. For this reason, LogRhythm automatically synchronizes the timestamps of all log entries to a single 'normal time' for reporting and log analysis purposes. This is extremely valuable in analyzing log data across distributed systems where time of occurrence is important. If one log was written at 3:00 PM EST and across the country, another log was written at 12:00 PM PST, within LogRhythm they both occurred at the same time.

Risk-based Prioritization

LogRhythm automatically prioritizes each event based on its impact to your business' operations.

LogRhythm's risk-based prioritization calculates a 100 point priority based on the:

  • Type of event
  • Likelihood event is a false alarm
  • The threat rating of the host causing the event (e.g., remote attacker), and
  • The risk rating of the server on which the event occurred

LogRhythm's risk-based priority helps ensure the most important events are identified and acted upon.

The impact of an event varies by business and within a business, by system. For instance, a router link failure might not be immediately critical for an ISP with redundant routers. However, for a branch office with a single router, business is impacted until fixed. A server reboot is uninteresting if seen on a user workstation but when seen from an ERP server that has 99.999% uptime requirements, is extremely interesting.

Log and Event Management

Event Forwarding to Reduce Data for Improved Log Analysis

Identified log entries having the most immediate operational relevance are forwarded to the Event Manager. This typically includes security events, audit failures, warnings and errors. Event forwarding rules work "out of the box." You also have the ability to tailor those rules to your liking and create your own rules. The function of intelligently forwarding a subset of logs provides the first layer of data reduction.

Log activity for specific filename patterns, IP addresses, hosts or users can also be monitored easily. When security policies are violated, LogRhythm can automatically alert designated individuals via e-mail, pager, existing management applications and the LogRhythm console.

Because only the most important log entries are forwarded as events, users are extremely efficient with time they spend using the LogRhythm solution. Instead of having to weed through numerous irrelevant log entries, the most important logs are automatically identified for them.

LogRhythm features contextual event forwarding, which enables real-time identification and alerting of anomalies within application, database and network activity. For example, LogRhythm can be used to pinpoint specific exceptions such as transactions greater than a specified dollar amount in a financial application, including when it occurred, who was responsible, and which account was modified.

User-Driven Log Analysis

Once logs are collected, classified, normalized, prioritized, stored and correlated, some rise to the level of an "event". The LogRhythm Event Management function applies the real-time monitoring, alerting, incident management and response appropriate for specific events. Some events warrant a deeper investigation beyond the events themselves to include other related log data. For these situations LogRhythm offers a comprehensive set of investigative capabilities ranging from high-level trending and visualization to monitoring in real time the activities associated with a specific user, system, device or information asset.


Forensic Log Analysis

Visual Log Analysis through LogMart

The LogRhythm LogMart tool incorporates a powerful set of visualization, data trending and search capabilities. LogMart aggregates millions of logs in a single graphical view, which can expose exceptions in security, compliance and operations over short or long periods of time. The powerful user-configurable charting and filtering capabilities enable users to quickly switch from viewing months or even years worth of log trend data to drilling down to individual logs exposing the root cause of a security breach or operational problem.

Investigator and Search

The LogRhythm Investigator is a powerful investigation tool used for searching and viewing specific sets of logs and events, such as those associated with a specific user, set of users, specific IP address or range, impacted hosts, impacted applications, date and time, and more. An easy to use wizard guides users through the selection of criteria for their specific investigation. Once defined, investigation criteria can be saved and used again. Investigations can include events, log metadata, raw log data or any combination thereof.

LogRhythm also offers comprehensive search capabilities to meet the unique log analysis needs of a variety of users. Whether you're an investigator looking for all activity associated for a specific user, an IT operations manager seeking to understand performance trends for a particular server or an auditor looking for a list of individuals outside of a trusted user community that accessed a highly sensitive file server over the last 90 days, LogRhythm's quick search function can serve up unique and highly valuable information derived from millions of logs quickly and easily.