Smart log server


(alireza) #1

Hi everyone

I am looking for a log server with these features for around 800 servers and network devices:

log server should these 4 main section:

‫‪Log‬‬ ‫‪collect‬‬
‫‪Log‬‬ ‫‪parse‬‬ ‫‪and‬‬ ‫‪store‬‬
‫‪Log‬‬ ‫‪analyze‬‬
‫‪Report‬‬ ‫‪and‬‬ ‫‪Alert‬‬

I need these logs types:

  1. Authentication and Authorization Reports
  2. Systems and Data Change Reports
  3. Network Activity Reports
  4. Resource Access Reports
  5. Malware Activity Reports
  6. Failure and Critical Error Reports

Authentication and Authorization Reports :

All login failures and successes by user, system, business unit
Login attempts (successes, failures) to disabled/service/non-
existing/default/suspended accounts
All logins after office hours / “off” hours
User authentication failures by count of unique attempted systems
VPN authentication and other remote access logins (success, failure)
Privileged account access (successes, failures)
Multiple login failures followed by success by same account

Systems and Data Change Reports:

Additions/changes/deletions to users, groups
Additions of accounts to administrator / privileged groups
Password changes and resets – by users and by admins to users
Additions/changes/deletions to network services
Changes to system files – binaries, configurations
Changes to other key files
Changes in file access permissions
Application installs and updates (success, failure) by system, application, user

Network Activity Report:

All outbound connections from internal and DMZ systems by system, connection
count, user, bandwidth, count of unique destinations
All outbound connections from internal and DMZ systems during "off" hours
Top largest file transfers (inbound, outbound) OR Top largest sessions by bytes
transferred
Web file uploads to external sites
All file downloads with by content type (exe, dll, scr, upx, etc) and protocol
(HTTP, IM, e-mail, etc)
Internal systems using many different protocols/ports
Top internal systems as sources of multiple types of NIDS, NIPS or WAF Alerts
VPN network activity by user name, total session bytes, count of sessions, usage
of internal resources
P2P use by internal systems
Wireless network activity
Log volume trend over days

Resource Access Reports:

Access to resources on critical systems after office hours / “off” hours
Top internal users blocked by proxy from accessing prohibited sites,
malware sources, etc
File, network share or resource access (success, failure)
Top database users· Summary of query types
All privileged database user access
All users executing INSERT, DELETE database commands
All users executing CREATE, GRANT, schema changes on a database
Summary of database backups
Top internal email addresses sending attachments to outside
All emailed attachment content types, sizes, names
All internal systems sending mail excluding known mail servers
Log access summary

Malware Activity Reports:

Malware detection trends with outcomes· Detect-only events from anti-
virus tools
All anti-virus protection failures
Internal connections to known malware IP addresses
Least common malware types

Critical Errors and Failures Reports :

Critical Errors and Failures Reports :slight_smile: Critical errors by system, application, business unit
System and application crashes, shutdowns, restarts
Backup failures
Capacity / limit exhaustion events for memory, disk, CPU and other system
resources

Is ELK support these features? what application or plugins support these features? thanks inadvance


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.