The collection of high volume logs that provide little security value may be clouding your log reports and pushing you over your log entitlement. In order to manage your log collection and entitlement levels, you can identify those logs that are high volume with low security value that you can tune out of your environment, as well as those logs that provide the most security value and that you should be capturing. Following these recommendations can minimize your unnecessary log collection while maximizing the security value that collected logs are providing.
Note: The following information applies only to customers with Alert Logic® Cloud Defender™ or Alert Logic Log Manager™ entitlements.
In This Article
Identify High Volume Logs with Low Security Value
Logs that are being collected at high volumes and that provide little security value may be appropriate to tune out of your environment.
Step 1
Check the volume of logs being sent to you in the Alert Logic console.
- Navigate to Reports > Usage > Log Management.
- Click on the Summary widget. This will show you the average volume of logs being sent for a given time frame in MB/day.
- Click on the Message Volume widget. This will show you the volume of logs being sent per day for the given time frame.
Note: You can adjust time frames by clicking on the gear icon () in the top right corner of the widget you'd like to adjust.
Step 2
Use the log search function to identify the highest volume log types.
- Navigate to Search > Log Messages and utilize the search function to complete the following several steps.
- Complete a search for a 24-hour time frame by clicking BETWEEN > Last 24 Hours.
- De-sort by time by clicking the gray filter icon () and choosing the opposing arrows icon ().
- Aggregate by message type by clicking Not Aggregated > Aggregate based on this item.
- Sort descending by message count by clicking the red opposing arrows icon () and choosing the descending icon ().
- Click the search icon () to run the log query.
- Export this data to a spreadsheet by clicking the gear icon () in the top right of the search results and clicking Export Log Messages.
Step 3
Continue using the log search function to identify the sources of log volume.
- Click the Reset Query icon ().
- Complete a search for a 24-hour time frame by clicking BETWEEN > Last 24 Hours.
- De-sort by time by clicking the gray filter icon () and choosing the opposing arrows icon ().
- Type "log source" in the text field and select Log Source when it appears in the below pop-up.
- Aggregate by log source by clicking the gray Not Aggregated > Aggregate based on this item.
- Click the search icon () to run the log query.
- Export this data to a spreadsheet by clicking the gear icon () in the top right of the search results and clicking Export Log Messages.
Step 4
Determine the impact that any changes to log collection will have. Alert Logic suggests utilizing percentages of total message count to best understand the impact.
- Export your log data to Microsoft Excel or your spreadsheet software of choice. Export your log volume data, leave at least one blank column, and then export your log source data.
Note: The following steps assume that you are utilizing Microsoft Excel. - Get a total of the message count by auto-summing the message count values. Scroll to the bottom of your Message column and hit the Alt and = keys.
- In the empty column to the right of the Message column, press the = key and click the Message number to the left. Divide by the total message count, which can now be found at the bottom of the Message column.
Example: The input could look like this: =C2/C20; C2 being the first number in the Message column and C20 being the auto-summed message count total created in the above #2. - Add a $ symbol before your column letter and column number to utilize the auto-fill feature to show the volumes for each subsequent message type.
Example: The empty column input could look like this: C2/$C$20.
Known High Volume Log Types
The following log types are known to produce high log volumes with low security value:
- Windows Success Object Access
- Windows Object Handle Closed
- Windows Object Handle Duplicated
- Windows Network Connection Successful
- Windows Privileged Object Operation
Before taking action against these and other identified high volume log types, speak with an Alert Logic security professional to avoid any adverse effects on security visibility or compliance. Create a ticket or reach out to your Customer Success Manager to start a conversation about the security value of each message type or log source.
Identify Maximum Security Value Logs
Logs with maximum security value provide rich data on the security of your environments and should be captured.
- In the Alert Logic console, navigate to Configuration > All Deployments.
- Navigate to Log Management > Windows Event Log. Click on the pencil icon () to the right of the Default Windows Eventlog Policy.
- A side panel will appear. By default, the Collect All Available Event Log Streams box is checked. Uncheck this box.
- Scroll down and ensure that only Application, Security, and System are checked from the long list of checkbox options. Having only these options checked will stop collection of many operational Windows logs that provide little security value. They will ensure that any logs relevant to Alert Logic security content are still being collected.
Comments
0 comments
Please sign in to leave a comment.