« Previous 1 2 3 4
Installing and operating the Graylog SIEM solution
Log Inspector
Linux has long mastered the art of log forwarding and remote logging, which are prerequisites for external log analysis. From the beginning, security was the focus: An attacker who compromises a system most likely would also try to manipulate or delete the syslog files to cover his tracks. However, if the administrator uses a loghost, the files are less likely to fall into the hands of hackers and, thus, can still be analyzed after an attack.
As the number of servers increases, so do the size of logfiles and the risk of overlooking security-relevant entries. Security information and event management (SIEM) products usually determine costs by the size of logs. The Graylog [1] open source alternative discussed in this article processes many log formats; however, if the volume exceeds 5GB per day, license fees kick in.
Why SIEM?
As soon as several servers need to be managed, generating overall statistics or detecting problems that affect multiple servers becomes more and more complex, even if all necessary information is available. Because of the sheer quantity of information from different sources, the admin has to rely on tools that allow all logs to be viewed in real time and help with the evaluation.
SIEM products and services help you detect correlations in a jumble of information by enabling:
- Access to logfiles, even without administrator rights on the production system.
- Accumulation of the logfiles of all computers in one place.
- Analysis of logs with support for correlation analysis.
- Automatic notification for rule violations.
- Reporting on networks, operating systems, databases, and applications.
- Monitoring of user behavior.
Installing and configuring Graylog is quite easy. The Java application uses resources sparingly and stores metadata in
...Buy this article as PDF
(incl. VAT)



 
         
         
        