IBM QRadar 3) Logs
Let me tell you about logs that be base on SIEM system.
There are two type Event log and and Flow log in logs.
Event log is known as usually we know, It includes system, application and other logs on our infrastructure.
For example, There are syslog, file or table in event log.
Another log is called as 'Flow', It is network traffic on our network structure.
We can know many information that how many packet was sanded or received packets.
Please read Wikipedia for more information about Flow.
Below table explains detail information of logs.
Table 1) Detail log information
Log Status means how save this log, it might be syslog, file, Database.
These logs are used for each purpose.
Syslog is used to record about every action on severs, network devices, security solutions.
You can think It is one of programs that be used in UNIX system.
Most devices support to use syslog, and simply Linux syslog write all actions on the /var/log/messages.
Syslog of each devices send logs, We can think syslog push logs to QRadar.
Image 1) Push and Poll logs
Pushing is real-time option for sending logs, but If QRadar had been down, syslog couldn't send logs to QRadar, logs are loss.
We can input logs to QRadar manually, it can't be perfect solution.
Syslog method is good to use for real-time and general purpose, It can't keep all logs.
I told you Syslog is usually used for OS / network device / security solution.
So, maybe there are other log types.
Typical log is 'file log'.
IIS / DB / Tomcat / Apache / etc are using file log for recording action.
For collecting file log, We have to use FTP protocol.
But someone don't want to use FTP.
If you don't want, You can use SFTP.
SFTP is enhanced file transfer protocol for security.
So let me say SFTP is better then FTP.
It is similar with now days most company restrict telnet connection.
Unfortunately QRadar don't support for collecting file logs real-time, because QRadar access log file for real-time, It makes performance slow.
So we have to interval time least 15 minute, QRadar collect repeat using schedule.
File log protocol can make sure collecting all logs.
After reboot QRadar, QRadar sync last log collected and original logs, It collect logs that be not collected log.
It have advantage and disadvantage the other way syslog.
File log has some rules.
When QRadar collect file logs, QRadar access log file.
So QRadar needs server's account and authentication.
This protocol can't be used like real-time collecting because QRadar access file, it has interval times.
The minimum time is 15 minute.
We can't set less time.
I said to you syslog is OS log, file log is application logs.
(It is general, Not only used)
So, What situation uses DB logs?
Usually, most of solutions use DB table log for managing historical data.
Simply speaking, If you have internet monitoring solution, this solution write who did use chatting services or messenger services.
Add to this, history of accessing some system will be written on DB, this type is core of log types.
To collect DB logs is needed JDBC(Java Databases Connectivity) for each DBMS.
QRadar basically supports Microsoft SQL Server, Oracle, DB2, Sybase and etc.
And other DBMS also can be collected by QRadar, it can't support all of DBMS.
Please see next posting if you want to know about flow.
Thanks.
Related Links
IBM QRadar 1) 개요
IBM QRadar 2) 주요 기능
IBM QRadar 3) 로그 유형 (2/2)
There are two type Event log and and Flow log in logs.
Event log is known as usually we know, It includes system, application and other logs on our infrastructure.
For example, There are syslog, file or table in event log.
Another log is called as 'Flow', It is network traffic on our network structure.
We can know many information that how many packet was sanded or received packets.
Please read Wikipedia for more information about Flow.
Below table explains detail information of logs.
Table 1) Detail log information
Log Status means how save this log, it might be syslog, file, Database.
These logs are used for each purpose.
Syslog is used to record about every action on severs, network devices, security solutions.
You can think It is one of programs that be used in UNIX system.
Most devices support to use syslog, and simply Linux syslog write all actions on the /var/log/messages.
Syslog of each devices send logs, We can think syslog push logs to QRadar.
Image 1) Push and Poll logs
Pushing is real-time option for sending logs, but If QRadar had been down, syslog couldn't send logs to QRadar, logs are loss.
We can input logs to QRadar manually, it can't be perfect solution.
Syslog method is good to use for real-time and general purpose, It can't keep all logs.
I told you Syslog is usually used for OS / network device / security solution.
So, maybe there are other log types.
Typical log is 'file log'.
IIS / DB / Tomcat / Apache / etc are using file log for recording action.
For collecting file log, We have to use FTP protocol.
But someone don't want to use FTP.
If you don't want, You can use SFTP.
SFTP is enhanced file transfer protocol for security.
So let me say SFTP is better then FTP.
It is similar with now days most company restrict telnet connection.
Unfortunately QRadar don't support for collecting file logs real-time, because QRadar access log file for real-time, It makes performance slow.
So we have to interval time least 15 minute, QRadar collect repeat using schedule.
File log protocol can make sure collecting all logs.
After reboot QRadar, QRadar sync last log collected and original logs, It collect logs that be not collected log.
It have advantage and disadvantage the other way syslog.
File log has some rules.
When QRadar collect file logs, QRadar access log file.
So QRadar needs server's account and authentication.
This protocol can't be used like real-time collecting because QRadar access file, it has interval times.
The minimum time is 15 minute.
We can't set less time.
I said to you syslog is OS log, file log is application logs.
(It is general, Not only used)
So, What situation uses DB logs?
Usually, most of solutions use DB table log for managing historical data.
Simply speaking, If you have internet monitoring solution, this solution write who did use chatting services or messenger services.
Add to this, history of accessing some system will be written on DB, this type is core of log types.
To collect DB logs is needed JDBC(Java Databases Connectivity) for each DBMS.
QRadar basically supports Microsoft SQL Server, Oracle, DB2, Sybase and etc.
And other DBMS also can be collected by QRadar, it can't support all of DBMS.
Please see next posting if you want to know about flow.
Thanks.
Related Links
IBM QRadar 1) 개요
IBM QRadar 2) 주요 기능
IBM QRadar 3) 로그 유형 (2/2)
Categories:
0 comments:
Post a Comment