Modern IT infrastructures become more complex with the large amount of technologies put together: security appliances, databases, servers, remote access devices, network facilities and much more. All those components generate a huge amount of events per day and those events can be very valuable to detect and investigate security incidents (see incident handling).
To properly manage those events (from a technical and a operational points of view), a good log management solution must be implemented to take care of all the events generated across the infrastructure. A classic log management solution will address the following challenges:
- The collection of events from multiple sources using multiple protocols (open or proprieraty)
- The normalization of events into a unique format
- The categorization of events based on their source or location (ex: DMZ devices, firewalls, critical devices, …)
- The indexation of events in a centralized database
- The retention policies definition and enforcement
A log management solution has many benefit for the day to day security operations:
- A central place to search for information
- A unique events format
- Restricted (and controlled) access to the data
- Powerful searching capabilities
Once the log management solution properly deployed, the next phase will be to get more value from the stored events by implement correlation rules and adding external sources of useful.