LOGNESS framework, following the principles that led to its success, easy implementability, easy usability, easy pricing and the function-rich contents, achieves collection, processing and evaluation of log stacks using LOGNESS Artificial and Business Intelligence. PRAUDIT integrated its experiences based on the past years’ successful projects into the SEIM platform, which know-how is unique to the hungarian market and is based on log analytic services having been applied with success for years.
Architecture of the LOGNESS Framework
LOGNESS Framework consists of three standalone modules: collection and storage of logs from multiple systems is performed by the Collector module. From the Collector module, log messages are relocated to the Parser module where formal unification and saving into a separate database take place. LOGNESS Intelligence provides a user friendly GUI and
The Collector itself is also of modular design. Its core is a background application, responsible for loading different source and assimilation modules. Source modules collect messages from several logging sources, including but not limited to logs arriving via syslog protocol, UNIX-based log files, etc. Assimilation modules ont he other hand, are able to forward these log sin several forms (via syslog protocol, exportation to file). Units performing storing of log sin databases, application of digital signature and timestamping are also implemented in form of assimilation modules.
Basic overview of the Collector module’s functions:
• Reception, filtering and central management of log stacks
• Storage of raw logs in databases or file structure
• Trusted, digitally signed and timestamped storage, backup and archiving
• Optimization of storage capacity by pre-filtering of log messages
• Definability of allowed source groups, ability to monitor newly emerged sources
• Monitoring of possible malfunctioning sources (heartbeat), Agent and Collector-based solutions
Basic overview of the Parser module’s functions:
• Real time normalization and indexing of log messages
• Usage of Elasticsearch open source, noSQL database
• 500+ pre-defined filtering rules
• Out-of-box integration of well- known host systems
• Advanced correlation and pattern recognition with user friendly rule wizard
• Multi-dimensional behavior anomaly detection
Intelligence is the part of the system which is ’visible’ towards the user and is used to access the functions. System administrative tasks (user management, filter addition) are also performed via this module. The messages received can be viewed in a tree-structure.
• User friendly, web based interface for threat and breach detection and alerting
• Structured evaluation, daily, weekly, monthly pre-defined log analysis reports
• Intelligent free word search engine for powerful search, rapid forensic analysis of all data
• Event based statistical analysis for long-term trending and alerting
• Integrated support of tracing incidents, actions and case management