Archive for the ‘Log Management’ Category

Log management as SaaS – 3

November 14, 2010 1 comment

This post is in continuation to Log management as SaaS – 2.

We talk about advantages of SaaS based model.

Why SaaS for Log Management?

Log Management in today’s world is fairly a basic feature of operations best practice for infrastructure management. SaaS solution for Log Management is more efficient, effective and costs less compared to traditional on-premise product deployment owned by a company. Following are few more advantages with SaaS model compared to on-premise model

SaaS Vs On-Premise model

  • Cost of physical space:
    • On-Premise Model: An on-premise model typically requires customers to manage/maintain 3-4 server concentration of infrastructure with in the same data center, server room, and typically even the same server rack in order to operate effectively.
      • This introduces delays through change control process if the infrastructure has to be moved, when additional rack space is purchased, new hardware component is introduced etc.
      • Cost of electricity is more for running extra cooling for safe equipment operations
    • SaaS Model: In SaaS Model, entire infrastructure is maintained by Cloud Vendor, except for log collection server that would be installed at the customer location. Log Collection server collects the logs from the client’s infrastructure and securely sends the logs to one or more off-site datacenters that house the physical infrastructure required to analyze and redundantly archive the log data.

How do you like this series of posts on Log Management, do let me know through your comments…

Related Posts:

Log management as SaaS – 2

November 14, 2010 3 comments

This post is in continuation to my earlier post on “Log management as SaaS – 1“. This post covers an overview of SaaS based model and importance of Log Management Solution.

Target Readers

Reader should have a basic knowledge on Enterprise Log management to understand this post. Basics of Enterprise Log Management is not covered as a part of this post. You may browse through the following link for basics:


The midmarket tends not to have security staff, or the need for a security console. They just need to collect event log data that they can produce on demand. The midmarket is not trying to boil the security management ocean. They just need to retain event log data for PCI compliance.” – Eric Ogren of The Ogren Group, a Stow, Mass -based consultancy


An affordable log management solution can help firms in the small, mid market to deal with growing scrutiny from regulations such as Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA).

What is Enterprise Log Management?

Log management is the process of generating, transmitting, storing, analyzing, and disposing of computer security log data. The Security Information and Event Management (SIEM) market has undergone rapid transformation over the past few years it has generally evolved in to Event Collection and Event Relevance.

  • Event Collection includes normalization and basic silo correlation of an event.
  • Event Relevance includes event translation, cross-silo correlation and incident creation.

Basically we can define the Security Management opportunity by the following markets:

  1. Security Event Management
    • Arcsight, Netforensics
  2. Security Information Management
    • CA, Intellitactics, e-Security
  3. Log Management
    • Log Logic, Sensage, Network Intelligence
Before we go any further, let’s first understand the importance of Log Management


  1. Proactive log management are mandated and are the focus for many regulations within the financial service industry
  2. According to Basel II Accord logs of an organizations should be retained for 3 to 7 years
  3. Sarbanes-Oxley (SOX) of 2002 requires audits of unauthorized access, misuse, and fraud to ensure the accuracy of the corporate financial and business information and maintain financial records for seven years.
  4. Federal Financial Institutions Examination Council (FFIEC) recommends that audit logs are reviewed daily and shared with senior management.
  5. Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLBA) mandates that the financial institutions protect the security and confidentiality of customers, it expects this to be taken care by prudent log management practices to successfully monitor and analysis of activities that could threaten loss of sensitive customer information
  6. PCI mandates retention of logs for 1 year, EU DR directive mandates retention of logs for 2 years…
  7. Log Management can ensure business continuity and helps improve operating efficiency.

Related Posts:

Log management as SaaS – 1

October 31, 2010 2 comments

This blog post primarily deals with Log Management as Software as a Service (SaaS). I tried to split this post to 2 parts – First being this one to talk about the problem statement and the second one is more technical.

SaaS by the itself has a long debate taking it’s definition. But here with out getting into the spat, I would like to state a simple definition (courtesy RADLab):

Definition: Delivering applications over the internet

Now coming to what actually the log management is all about…

Any asset (or computer) that is considered critical may be vulnerable to attack. Managing the logs of these assets become an utmost critical task in monitoring the system before attack and doing forensics after attack. Having said that storing the logs become an utmost critical step in protecting the asset.

It is a compliance requirement that every product generate and store event logs efficiently, eg: windows OS as a product should store the events occurring in the system, similarly products such as Oracle, ERP systems etc should generate logs and store them for auditing. Event here could be a functionality access or edit/delete/new operations. It need not be only a stand-alone product but could even be web based product that should generate and store logs for forensic investigation.

Now that we understand that managing logs of an asset is a critical task in monitoring a system, the question that pops up now is who has to look at the logs constantly? how would I know that an attack has actually taken place?

Feasible solution, would be to alert an administrator up on any malicious activity with any asset in the network. With this premise, a centralized management of logs is a desired idea to solve our problem. When we say centralized log storage, we should need agents running on each and every asset in the network that can push the alert logs to the centralized server.

Adding, you should have a tool that can give a Centrally searchable, distributed archive of critical logs and Non real-time reporting and basic policy violation alerting. Well there are players in this area who provide such a tool, such as, CA, Symantec, McAfee, LogLogic to name few. Generally organizations buy Log Management (here on LM) solution from any of the vendors for managing their logs effectively to comply to the standards. Well I forgot to say that, people who do not know this, managing/monitoring/storing/archiving logs is a compliance issue. Organizations failing to do so are liable to even jail some times.

With the above fact, the only way the companies can comply to this standards is through installing the LM solution in the network. Log management by itself is a vast subject, I am restricting this post to only defining the basics of LM.

Well as my post title goes, I was looking at providing LM solution as a SaaS based application. Where in, logs from customer’s critical systems are collected and stored. This way logs collected from multiple customer’s event log data can help come up with the derivative data that can help come up with Trend Analysis and tell the market what all the vulnerabilities prevailed and what are the remediations that can be taken to overcome these vulnerabilities.

In this model, the SaaS provider should have a fool proof infrastructure for storing log events from various customers.

My next post deals with the technical aspects of implementing the discussed model…

Related Posts: