Correlation

One of the most important SIEM tasks is correlation. To this end, fields must be structured and named uniformly. HTTP codes, for example, have different names on different systems (e.g., http_response_code on one system and status_code on another). Graylog has an important tool that unifies field names. With the extractor under System | Inputs | Manage extractors , the field names can be converted to uniform names.

Equally important is that the dates and times of log entries are the same for all computers, so you can find all error messages across the entire enterprise system that have occurred within a certain period of time. The extractor described above also helps here, because it can convert the date and time information extracted from the system computers to a uniform timestamp format. Figure 7 shows how easy it is to find errors retroactively from a certain time span for the entire enterprise system.

Figure 7: Cross-system search for log entries from a specific period.

In Figure 7, the source field is linked to a wildcard and assigned to message levels   to 4. On Linux, the levels are numbered from   to 7, where   means Emergency, 1 is Alert, 2 is Critical, 3 is Error, …, and 7 is Debug. Under Windows, however, the levels are organized differently: Graylog stores the message levels that correspond to those on Linux, in the severity level field.

Alerts

SIEM places much value on security. Graylog allows you to correlate data from different sources to find the proverbial needle in the haystack. If a specific constellation recurs within a specified period of time, Graylog triggers an alert, which in turn enables administrators to react promptly.

Graylog alerts are based on streams. By default, a stream named All messages that does not support any rules takes in all notifications. A new rule creates a new stream. The Active Directory example earlier in the article created a stream with the rule (Figure 8) "search all messages with the field name EventID that contain the value 4625."

Figure 8: Rule for a stream that searches for failed logins.

An alert can be set up for this stream. Selecting Alerts | Manage condition | add new condition takes you to a form where you can define the stream and the conditions for the alert. In this example, choose the AD Failed Logons stream and select the alert Message count condition from among the three types of conditions:

• Message count condition : The alert is triggered if the selected stream received x messages in the last y minutes (e.g., very good at detecting brute force attacks).
• Field aggregation condition : The alert is triggered when a numeric field in a stream reaches a minimum or maximum threshold (e.g., suitable for determining whether the response time of a particular application has exceeded a maximum value).
• Field content condition : The alert is triggered if a field contains a certain value (e.g., Unknown source , which means that an untrusted source installed a program).

Clicking on Add alert condition opens another form in which the values of the parameters in Table 3 can be entered.

After defining all conditions for an alert, you can start setting up a notification. Under Alerts | Manage notifications | Add new notification , you can specify the stream in question and determine who should be notified in case of a problem. You can choose between an HTTP and an Email alert notification. The recipient of the message can be either a registered Graylog user or any email address entered in the form.

Conclusions

Central log management is indispensable in a modern IT landscape. On the one hand, it removes the need for administrators to perform manual checks; on the other hand, it increases the rate of error detection and improves security. SIEM systems systematically help detect anomalies or attacks and respond appropriately. They are thus the next generation of logging and are suitable for countering the increasing complexity of programs and attacks.

SIEM is additionally important because it has real-time monitoring capabilities and immediate notification of rule violations, as well as long-term archiving for analysis and reporting.