日志管理是对系统事件日志进行分析、过滤、分类和上报的功能. For security teams to be able to leverage logs in an effort to spot potentially suspicious activity, 一个安全运营中心(SOC)可能需要一个有效的 安全信息和事件管理(SIEM) 平台,以帮助筛选日志数据和提出相关的警报.
日志文件是: 根据网络安全基础设施和安全局(CISA), 文件,这些文件 提供的数据是 事件响应的基础, enabling network analysts 和 incident responders to investigate 和 diagnose issues 和 suspicious activity from network perimeter to epicenter.”
A log file keeps a record of an event – usually of something incorrect that occurred – so that security teams can leverage SIEM technology to investigate 和 take action if necessary.
Centralized log management 关联s the millions of daily events in an environment directly to users 和 assets taking those actions. The goal is to highlight risk across an organization 和 prioritize where to search if potentially suspicious activity is taking place.
日志管理进程应该能够与现有的安全堆栈集成, 提供查看数据和自定义事件和调查报告的相关上下文. 日志数据, 上下文, 优先调查, 和详细的报告:这就是适当的日志管理的力量.
The difference between log management 和 SIEM is that SIEM tools are designed to combine log management capabilities with other functionalities, with the ultimate goal of enacting stronger security measures that can more thoroughly protect the organization.
此时此刻, 任何阅读本文的人可能都会认为现代SIEM是实现一站式日志记录的方式, 数据安全 以更好地保护环境的名义进行分析,并提供有用的、更具可操作性的见解.
但是,每个业务和伴随的安全组织都是独特的,并且有特定的需求. 也许只需要一个日志管理工具. Or perhaps a separate log management tool with powerful capabilities focused specifically on logging is what is needed. It’s important to take stock of what is actually needed so that budget is allocated for the right tools to further the right goals.
Log management is important because it helps to centralize logs onto one tool so that a security organization can search, 关联, 并从一个地方获得见解. 有了这种能力, 诊断人员可以查明问题,并更快地对其进行优先级调整.
Log management tools are also important because of the following ways they can benefit IT 和 security organizations:
These benefits make a log management tool one of the most important aspects of a security organization. It's a must-have in the quest to automate the organization of mountains of data 和 search for actionable insights to continuously counter threats.
就像任何与安全相关的事情一样, there can be challenges when attempting to implement a log management program or a SIEM platform that incorporates robust log management capabilities.
现在的许多日志解决方案都可以处理多种格式. 但是,大多数都不能使用自定义日志或平面日志格式. It may not always be possible to structure or format logs nicely as access to the app or service source code may not be available to update the formats so that a logging solution can h和le them.
日志作为数据是使用日志提取关于系统行为的关键指标或趋势的概念. 日志可以是一个丰富的数据源, provided a team can work with the log format AND perform analytical functions on key metrics extracted from log events.
许多传统的日志解决方案都专注于能够简单地索引和搜索日志. While being able to effectively 和 efficiently search logs is important for investigations 和 remediations, 对日志事件中的关键指标应用分析是至关重要的.
正确地关联数据可能是一项艰巨的任务. There are lots of tools out there that send log data into one big bucket 和 provide the user with largely unintelligible results. 能够访问, 关联, 和 gain actionable insights from logs in real time is a key performance indicator (KPI) for SOC success. 确保这些原始事件的数据安全性也很关键.
知道要寻找什么可能是最困难的挑战. This is one of the biggest issues with log management tools that focus on search 和 complex query languages. 如果一种搜索语言不能向用户显示要查找的内容,那么它再强大也没用.
不要被上面的挑战所困, it's important to establish baseline best practices when st和ing up a log management tool or larger program that tackles log management capabilities.
不要盲目登录. 相反,请仔细考虑记录的内容及其原因. 日志记录,像任何重要的IT和/或安全组件一样,需要有一个策略. 在构建DevOps设置或甚至发布单个新功能时, 有组织的日志记录计划是必须的. 没有明确的策略, 团队最终可能会发现自己手动管理一组不断增长的日志数据, 最终使识别重要信息的过程复杂化.
应该始终自动收集日志并将其发送到集中位置, 与生产环境分离. 整合日志数据便于组织管理,丰富分析能力, enabling a SOC to efficiently run cross analyses 和 identify correlations between different data sources.
将日志数据转发到集中位置使系统管理员能够授予开发人员权限, QA, 支持团队访问日志数据,而不允许他们访问生产环境. 因此,这些团队可以使用日志数据来调试问题,而不会有影响环境的风险.
End-to-end logging into a centralized location allows dynamic aggregation of various streams of data from different sources. 其中包括应用程序、服务器等,用于关联关键趋势和指标. Correlating data enables quick 和 confident identification 和 underst和ing of events that are causing log management system malfunctions.
故障排除和调试只是触及了日志数据所提供的内容的表面. 然而,日志曾经被认为是寻找信息的痛苦的最后手段, today’s logging tools can empower everyone from developers to data scientists to identify useful trends 和 key insights from their applications 和 systems.
Treating log monitoring 和 events as data creates opportunities to 应用 statistical analysis to user events 和 system activities. 对事件类型进行分组和对值进行求和,可以对事件进行长期比较. This level of insight opens the door to making better-informed business decisions based on data often unavailable outside of logs.
A log monitoring 和 management service that is only accessible to a highly technical team severely limits an organization’s opportunity to benefit from log data. A log management 和 analytics tool should give developers live-tail debugging; administrators real-time alerting; data-scientists aggregated data visualizations; 和 support teams live search 和 filtering capabilities. 它应该在不需要任何人访问生产环境的情况下完成所有这些工作.