LOGNESS framework, following the principles that led to its success, easy implementability, easy usability, easy pricing and the function-rich contents, achieves collection, processing and evaluation of log stacks. PRAUDIT integrated its experiences based on the past years’ successful projects into the SEIM platform, which know-how is unique to the hungarian market and is based on log analytic services having been applied with success for years.
Conformation of the LOGNESS Framework
LOGNESS Framework consists of three standalone modules: collection and storage of logs from multiple systems is performed by the Collector module. From the Collector module, log messages are relocated to the Parser module where formal unification and saving into a separate database take place. On this database, the Analyzer module is able to perform queries and – depending ont he result of these queries – send alert notifications.
The Collector itself is also of modular design. Its core is a background application, responsible for loading different source and assimilation modules. Source modules collect messages from several logging sources, including but not limited to logs arriving via syslog protocol, UNIX-based log files, etc. Assimilation modules ont he other hand, are able to forward these log sin several forms (via syslog protocol, exportation to file). Units performing storing of log sin databases, application of digital signature and timestamping are also implemented in form of assimilation modules.
The Parser unit handles the formal unification of received messages according to ’Regular Expressions’ stored int he system, after which it stores the normalized logs in a database. Definition of so-called ’Exclusion Patterns’ is also possible: logs that contain these patterns are automatically discarded. Together with the processing accelereation patterns and regexes, these exclusion patterns are stored in a database.
– Basic overview of the Processor module’s functions:
– Native normalization of log stacks and organization into a database
– Ability to import normalization rules, performing substantive analysis in minutes
– Continued expansion of known log sources, host types and events
– Support of divided processing infrastructure
Analyzer is the part of the system which is ’visible’ towards the user and is used to access the functions. System administrative tasks (user management, filter addition) are also performed via this module. The messages received can be viewed in a tree-structure.
– Basic overview of the Analyzer module’s functions:
– User friendly, easily operated, Hungarian user interface
– Query Wizard with pre-defined and user-specific filters
– Real-time alerting, categorization and and handling incidents on multiple levels
– Support for role-based and event-based management of user rights
– Real-time correlation analyisi, user-friendly rule wizard