Alert Logic® provides several services to help you manage the logs that are generated from your environments. Within this article, we provide you with resources for getting the most out of these services and maintaining healthy environments.
In This Article
- Create Correlation Alerts and Policies
- Create and Apply Collection Alerts on Hosts
- Set Up AWS CloudTrail and Azure Activity Logs
- Set Up Recurring Reports
Create Correlation Alerts and Policies
Correlation alerts and policies are functions built into the Alert Logic log management service that allow you to be alerted when specified log message types are seen by Alert Logic. These alerts eliminate some of the manual work of sifting through each day's logs.
Correlation alerts are a set of rules that trigger an email notifying you when a specified log message type is generated from any host in your environment and seen by Alert Logic. An example message type that could be used for an alert is "Windows Audit Log Cleared." For more information on creating and managing correlation alerts see the Work with Correlation Alerts Alert Logic documentation.
Correlation Policies are alerts that you can correlate into a group based on certain values in chosen log messages. An example of a correlation policy is "Windows Login Failed on a specific user on a specific host," which will alert when the provided user and host have failed to log into a Windows host. For more information on creating and managing correlation policies, see the Create a Correlation Policy Alert Logic documentation.
Create and Apply Collection Alerts on Hosts
Collection alerts allow you to be automatically notified when a log source in the Alert Logic console is no longer sending logs and might cause gaps in security posture. For more information on creating and applying collection alerts on hosts, see the Work with Collection Alert Rules Alert Logic documentation.
Set Up AWS CloudTrail and Azure Activity Logs
AWS CloudTrail Logs
AWS CloudTrail provides event history of your Amazon Web Services (AWS) account activity, including actions taken through the AWS Management Console, AWS software development kits, command line tools, and other AWS services (source: AWS CloudTrail overview). For more information on AWS CloudTrail and Alert Logic, see the How do I configure Amazon Web Services CloudTrail for log collection? knowledge base article.
Sending Alert Logic logs from your AWS CloudTrail environments allows us to monitory for S3 Bucket changes, IAM Role changes, AWS user account modifications, and more. For more information on the Log Review service that AWS log oversight is bundled with, see the What Alert Logic Reviews with Log Review knowledge base article.
Azure Activity Logs
Microsoft Azure Activity Logs is a subscription log that provides insight into subscription-level events that have occurred in Azure. This includes a range of data, from Azure Resource Management operational data to updates on Service Health events. Using the Activity Log, you can determine the what, who, and where for any write operations taking place on the resources in your subscription (source: Microsoft Azure documentation). For more information on Azure Activity Logs, see the Azure Audit Logs Alert Logic documentation.
You can create correlation policies and alerts based on log messages generated from Azure Activity Logs environments to be alerted to any message types you have deemed as important to review.
Set Up Recurring Reports
Reports can help you analyze the threats, vulnerabilities, and compliance issues that Alert Logic has identified in your monitored networks. You can generate content for these reports on demand or at scheduled times from the Reports page - for Alert Logic Essentials, Professional, or Enterprise customers in the Alert Logic console in the main menu () > Validate > Reports and for Alert Logic Cloud Defender or Log Manager customers at Reports.
Suggested Log-Based Reports
The following reports relate to logs and can help you manage and understand the kinds of logs that are coming in from your environments.
- Logs - Executive Summary: This report calculates the total messages and average messages for sources that collected during the time window selected. It also displays historical collection issues that may have occurred during that time. The output is in a summarized format.
- Logs - Full Report: This report calculates the total messages and average messages for sources that collected during the time window selected. It also displays historical collection issues that may have occurred during that time. The output is in a detailed format.
- No Logs: This report checks all log sources and reports on those that have not sent any logs within the time period selected.