Home > Security > A syslog server just isn’t good enough anymore

A syslog server just isn’t good enough anymore

Like many network professionals I have been tasked to provide some sort of log management system. Back in the 90’s I would have just thrown in a syslog server and called it good. Today however there is a need to analyze and react to logs from multiple devices. Traditional syslog servers simply collected logs, there was little if any analytical capabilities to correlate data between devices. There are also a plethora of regulations that network administrators must adhere to. This can be anything from the Sarbanes-Oxley Act  of 2002 (SOX) to the Payment Card Industry Data Security Standard (PCI).

An option called SIEM, which stands for Security Information and Event Management, came out some years ago to fill this void. SIEM has also been referred to as Security Incident and Event Manager. I prefer the first definition of the acronym, however both are accurate descriptions. It also appears that vendors I’m working with prefer the first definition. These products were good at sorting through firewall and IDP logs. However, from personal experience I can attest to fact that some of them were a nightmare to deploy and configure. The cost of these systems also put them at an almost unattainable level for SMB’s.

Now there is a new breed of SIEM products which fill the gaps in log management and security management. Newer SIEM products take the features of a traditional syslog server and incorporate it into a more robust event manager. The first big change from traditional SIEM products is they are no longer focused upon security devices. SIEM’s now collect data from all network and system devices. This includes (but is not limited to): routers, switches, firewalls, IDP’s, SSL-VPN’s, servers, applications, etc…

Just as a traditional syslog server the SIEM will collect and archive all of the raw logs. This alone is good enough for some regulatory compliance issues. Simply complying with regulations is not enough in the modern IT world. Administrators must be able to find actual problems. To answer this SIEM’s analyze all data from the logs and provides feedback to administrators. The upshot of this is suspicious or out of place events can be alerted and reacted to. For instance, if multiple devices inside a network get a lot of SSH authentication failures it could show that someone is inside the network trying to access data upon devices they should not be in. The SIEM at this point can alert the security administrator as to the event.

My process of finding a SIEM for my corporation has just started.  So far the products I have looked at are light years beyond the syslog and Generation 1 SIEM’s I’ve worked with in the past. Some of the solutions come in an appliance or virtual machine making deployment quick and easy. The key when looking at these devices is that they incorporate the best of a syslog server and a traditional SIEM into the same interface.  As I get further in the process I will update my thoughts on products tested.

Categories: Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: