Security Event Management

Log Analysis, Reporting and Storage

Intelligent Log Normalization and Storage

The Log Correlation Engine allows very easy configuration of which logs should be saved and which should be normalized. Simply put, the Log Correlation Engine can be configured to process events from close to 200 different log sources such as firewalls and operating systems.

When configuring the Log Correlation Engine, it is very easy to select what types of log sources exist, and what sort of events should be normalized. The Log Correlation Engine also has a mode where any log sent to it can be saved on the local disk, a second disk, or on network storage.

This is a very important concept because not all logs may be relevant to understanding your overall security posture, yet there may likely be regulatory requirements to store all logs. The Log Correlation Engine can be configured to solve both of these problems. For example, the Log Correlation Engine can be used to save all logs for 90 days, yet only normalize intrusion detection, firewall and Windows security events. This allows for efficient analysis of the security events, while still retaining all logs, including one not relevant to security for 90 days.

Ultra-High Speed Queries

Having a large amount of events is of little use if it takes 30 minutes to produce a “trending” report. Tenable’s approach is that all user interfaces for the Security Center and the Log Correlation Engine should handle close to 500 million normalized events and have any query complete in less than 10 seconds. This means that a user could sort events, find something of interest, and drill directly down into the actual log message in just a few clicks. It also means that a user can jump directly from an interesting intrusion event, to all log events (firewall, operating system, honeypot, etc.) concerning the attacker’s IP with one click.

Role Based Log Analysis

The Log Correlation Engine’s analysis performance also allows unique accounts to be configured that have limited access to the available data. For example, an account for all DNS administrators could be configured such that when they logged in, they would only be presented with logs that “touched” their servers.

This has several benefits. Foremost, during an incident, all of the relevant logs are available for immediate analysis. This includes historical events as well as those that occurred within the past 5 minutes. Although forensic log analysis is typically the job of the security expert, system administrators will often recognize aberrations in the logs which may otherwise go unnoticed. An additional benefit is that these logs are available for performance, diagnostics and troubleshooting. For example, having access to the firewall logs may help an email administrator troubleshoot the configuration of a high-availability server.