This article will help you understand the following aspects of Deep Security Log Inspection:
- Definition of Log Inspection
- Usage of Log Inspection
- Configuring the Log Inspection
What is Log Inspection?
The Deep Security Log Inspection module provides the ability to collect and analyze operating systems and application logs for security events. Log Inspection rules optimize the identification of important security events buried in multiple log entries. These events can be forwarded to a SIEM system or centralized logging server for correlation, reporting, and archiving. The Deep Security Agent will also forward the event information to the Deep Security Manager.
When to use Log Inspection?
Below are some of the use cases where organizations can utilize the Log Inspection capability within Deep Security platform:
- Auditable reporting for compliance. A complete audit trail of security events can be generated to assist with meeting compliance requirements such as PCI 10.6 and/or addressing four (4) of the SANS Top 20 Critical Security Controls (e.g. Control 6: Maintenance, Monitoring, & Analysis of Audit Logs and Control 16: Account Monitoring & Control)
- Suspicious-behaviour detection. The module provides visibility into suspicious behaviour that might occur on your servers.
- Collecting events across your environment. The Deep Security Log Inspection module is able to collect and correlate events across Microsoft Windows, Linux, and Solaris platforms, application events from web servers, mail servers, SSHD, Samba, Microsoft FTP, and as well as custom application log events.
- Correlate different events. Collect and correlate diverse warnings, errors, and informational events, including system messages such as disk full, communication errors, services events, shutdown, and system updates, application events such as account login/logout/failures/lockout, application errors, and communication errors, and administrative actions such as administrative login/logout/failure/lockout, policy changes, and account changes.
How to use the Log Inspection Control?
Log Inspection content is delivered in the form of rules included in a Security Update. These rules provide a high level means of selecting the applications and logs to be analyzed.
- Make sure the Log Inspection module is turned on within your security policy and click Save.
- Under the General tab, click the Scan for Recommendations button to start the recommendation scan. The recommendation engine is a framework that exists within Deep Security Manager, which allows the system to suggest and automatically assign security configuration (in our case Log Inspection Rules). The goal is to make configuration of computers easier and only assign the relevant security required to protect the computer at that point in time. As the virtual machines change, the security policy changes with it. The recommendation scans process can be automated. For more information check out this article: The What, Why and How of Recommendation Scans.
- Once the recommendation scan is completed and assigned, double-click the rules to examine each suggested rules.
- Select the Configuration tab and make any desired changes if needed, then click OK. Custom log inspection rules can also be created if required. Save and apply the policy to the relevant instances or computers.
- If required, you can forward these events to a central SIEM solution either from the two levels below:
- From the policy level, go to Settings > SIEM. Select the Forward Events to radio button.
- From the system level, go to System Settings > Event Forwarding. Under SIEM section, tick the Forward System Events checkbox.
In conclusion, logs are security gold but finding actionable insights in mountains of data can be challenging. Log inspection makes data mining easier by providing continuous monitoring of OS and app logs. We filter out the noise and reduce false positives so that you can focus on real issues.