Event Log Management and Maintenance Strategies
eventlogs.com
home | research | strategies | solutions | tools

Research
The Event Log Defined
The Syslog Defined
The Event Log and
Today's Enterprise
Event IDs

Strategies
Event Log Management
and the Secure Network
Monitoring Event Logs
Auditing Event Logs
Event Correlation

Solutions
Monitoring Log Files
Collecting Log Files
Auditing Log Files
A Concept for
Total Log Management

Tools
Auditing Volume Analyzer


Event Correlation
Correlation is a term being used more and more frequently in the security world. Overwhelmed by the volume of data collected from computer systems, routers, and other network devices, administrators increasingly appreciate tools that can paint a larger picture of what happened across the network at a particular point in time. This sort of picture can become extremely useful when examining the forensics behind a security breach or a virus outbreak.

Same-platform correlation

Same-platform correlation is useful for organizations that primarily run one operating system throughout their network. For example, companies that run Microsoft network operating systems like Microsoft Windows 2000, may want to collect event log entries from all of their various servers, so they can do trend analysis across different systems. In this example, event log correlation could show the first computer that was infected with a network-propagating virus, and how the virus spread throughout the network.

Cross-platform correlation

In organizations with larger networks, many different operating systems and network hardware platforms may coexist alongside one another. For example, client desktops may run Windows 2000 Professional, yet use a Linux-based firewall and email gateway, which in turn utilizes a Cisco router to send and receive traffic from the Internet. In this case, a more effective event log correlation solution may be one that can consolidate and monitor log entries from several different systems, such as Microsoft Windows event logs and syslog messages forwarded from the Linux machines and Cisco routers. An example illustrating the power of a correlation product in this scenario could be an attempted security breach. For example, logon attempts from both the Linux- based firewall system and from Windows 2000 desktop clients could be forwarded to a central computer capable of processing incoming syslog packets and Windows event log entries. If a hacker breached the firewall and attempted to access a desktop machine, a logon audit trail would be available at the central system monitoring the different types of messages.

Recommendations

At a bare minimum, organizations should deploy an event log correlation system that matches the platform utilized by the majority of systems on the network. If budgets and resources permit, opting for a cross-platform capable log correlation system can paint a much richer picture of activity occurring on many different levels of the network.

Other resources:

Event Archiver
Software capable of consolidating the event logs of many different servers into a central database for correlation and analysis.

Event Alarm
Software capable of cross-platform log consolidation and monitoring, including Windows 2000 event logs and syslog devices.
 
Copyright © 2004-2006 Dorian Software Creations, Inc. All rights reserved. Dorian, Event Archiver, Event Analyst, Event Rover and Event Alarm are registered trademarks of Dorian Software Creations, Inc. Windows, Windows NT, Windows XP, Windows 2000, Windows 2003, Microsoft SQL, and Microsoft Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Oracle is a registered trademark, and Oracle9i is a trademark or registered trademark of Oracle Corporation. All other trademarks are the trademarks of their respective companies.