Allianz Hungaria Insurance Co.
Allianz Hungaria Insurance Co. is one of the three largest insurance companies in Hungary, with extensive infrastructure based in different locations, producing more than 5000 log messages per second (EPS). The company had already successfully established log collection but experienced problems fulfilling their goals of real time log analysis and anomaly detection.
The clients’ Information Security Department had clearly-stated requirements of online and offline log reports defining all the events LOGNESS should normalize and organize into log reports. Log loss was unthinkable. According to the relevant Hungarian regulations, insurance companies establishing procedures for log collection and monitoring was, and still is a must, including the protection of the integrity of log messages, real time monitoring and alerting.
The project and results
First, we would build a robust, high availability system to avoid log loss. A system that can be capable of processing and correlating more than 5000 log messages per second. The solution was a HA cluster for log collection (LOGNESS Collector), processing of log messages (LOGNESS Parser) and a database distributed between three different nodes. With the built-in capability of distributing elasticsearch database, we could provide the adequate response time in a database consisting daily indices with over 50M log messages. During the process, we had to analyze the incoming messages in order to detect and filter the gray matter of log messages – messages that do not hold any information – in order to reduce the load of the system and save storage capacity.
After we managed to collect every log we need and filter out those we can’t use, we had to build the unique log reports defined by the client. The reports were built according to the lists provided by the client and can be reached in the web based GUI of LOGNESS framework after LDAP based authentication. As part of the provided support by PR-AUDIT the fine-tuning of the built-in filters and rules was accomplished and the system was ready to support every-day IT security processes.