Skip to content

Security Log Aggregation and Correlation (SLAC)

Golden Chopsticks Kimchi SLAC Design

(1) The kimchimenow.com web servers have web Splunk Universal Forwarder installed to capture log file data. This is done on load balanced servers deployed in three availability zones. Below are the most critical Linux logs to monitor.

  • /var/log/syslog or /var/log/messages - stores all activity data across the Linux system.
  • /var/log/auth.log or /var/log/secure - stores authentication logs
  • /var/log/boot.log - messages logged during startup
  • /var/log/maillog or var/log/mail.log - events related to email servers
  • /var/log/kern - Kernel logs
  • /var/log/dmesg - device driver logs
  • /var/log/faillog - failed login attempts
  • /var/log/cron - events related to cron jobs or the cron daemon
  • /var/log/yum.log - events related to installation of yum packages
  • /var/log/httpd/ - HTTP errors and access logs containing all HTTP requests
  • /var/log/mysqld.log or /var/log/mysql.log - MySQL log files

(2) Splunk Enterprise Server is where all the various logs from the kimchimenow.com web application servers will forward logs to. The server is where we see aggregation of event data. Data related to system, network, operating system, database, application, web server, and user events.

(3) Machine Learning techniques are used to correlate and identify associations between event data. Some of the common even correlation techniques are time, rule, pattern, topology, domain, and history based.

(4) The correlated data can be normalized and integrated into security information and event management (SIEM). SEIM dashboards can be created to:

  • Overview of notable events in your environment that represent potential security incidents.
  • Show details of all notable events identified in your environment, so you can undertake triage.
  • Have a workbook of all open investigations, allowing you to track your progress and activity while investigating multiple security incidents.
  • Perform risk analysis that lets you score systems and users across your network to identify risks.
  • Display threat intelligence that is designed to add context to your security incidents and identify known malicious actors in your environment.
  • Show protocol intelligence using captured packet data to provide network insights that are relevant to your security investigations, allowing you to identify suspicious traffic, DNS activity and email activity.
  • Show user intelligence lets you investigate and monitor the activity of users and assets in your environment.
  • Show web intelligence to analyze web traffic in your network.

SIEM provides real-time visibility, enhances investigations, and can fast-track threat response. The MITRE ATT&CK framework can be leveraged to determine frequent attack vectors and vulnerabilities in an IT ecosystem.

References

Spunk: What is IT Event Correlation?

Splunk: What Is Security Information and Event Management (SIEM)?

Exabeam: SIEM Logging: Security Log Aggregation, Processing and Analysis

Splunk: Splunk Security Essentials

Leave a Reply

Your email address will not be published. Required fields are marked *