Log Management

Log management is a process of collecting, normalising , and archiving the logs for analysis, as and when required. Logs are information packets that flow in and out of an organisation's network. In an organisational setup tremendous amount of logs are generated daily. These logs are often the first and the only way to detect unusual events and attacks. Log management necessarily needs to be carried as an ongoing activity and the logs need to be scrutinised 24x7 to prevent attacks, threats or malwares from entering into an organisation's network.

Log management is an inbuilt feature of the RSIM module of the CNAM suite. It enables organisations and enterprises to perform log management with ease and simplicity that helps an organisation to channelise its security prowess towards monitoring and ensuring streamlined and coherent network performance by reducing the network downtime thus enabling the security analysts to efficiently implement security policies and compliance modules in the organisation.

RSIM manages the logs as follows:

Log Collection and archival

RSIM collects the logs from every asset in an organisation capable of generating them such as workstations, web servers, applications, routers, switches, firewalls, IDS/ IPS/ HIPS/Anti-virus software, etc. RSIM retains the logs as per the compliance standards and facilitates easy archival of the generated logs.

Log Normalisation

Logs are collected from multiple sources and are in raw formats and need to be normalised in order to get coherent and useful information that can be analysed. RSIM has sophisticated normalisation techniques embedded within to facilitate the conversion of raw logs to useful information.

Event analysis console

RSIM has an event analysis console that enables the security analysts to write and save log queries and create filters that would aid in the scrutiny of suspicious activities. This facilitates the security analysts to efficiently manage logs and secure the high risk assets from any external or internal threats and attacks.

Real time event analysis

The event analysis console enables the security analysts to create filters to identify an attack. These filters notify the security analysts as soon as a breach in the filter rule is detected. These breaches then can be then traced in real time to the attacker and counter measures and mitigation plan can be implemented to curb the attacks.

Log correlation and threat management

Combined with the RSEM and its correlation modules, RSIM provides multiple level correlation that enables an organisation to correlate the logs from multiple events happening at multiple sites and multiple groups and with the intelligence feeds of the CNAM engine which helps in identifying any threat and attack pattern that would seem harmless and vague in absence of the correlation.