In this Blog Post

Written By
Amartya Gupta
Amartya Gupta

Product Marketing Manager

log management tool

Believe it or not, log management tools play a key role in any IT organization!

Remember how we used to encapsulate all our childhood memories in a scrapbook, how we use post-it stickers to remember minor details or how we always organise all our belongings so that we find them easily when it is required, in similar manner today’s IT industry’s requirement is to manage its exceptional data in the most beneficial way.

Logs such as audit records, intrusion alerts, transaction logs, connection logs, system performance records, event-logs, user activity logs, etc. are generated by nearly every computing device, applications, and databases. With the growing complexity (cloud, virtualization, BYOD, compliances, multiple databases etc.), and in many cases “organically grown architecture”, logs have become an important part of IT infrastructure monitoring and compliance process. System Admins, Site Reliability Engineers or Web Developers; basically any key decision maker from any organisation can use log management tools to make better data-driven decisions.

There is always a need to keep a track record of all the activities. Nowadays data is logged for just about everything, be it web server uptime, JavaScript errors, database queries, Windows log events, Linux logs, application logs etc. You name it and you can probably log it. Having centralized logs can be great, but you should also be able to analyse them efficiently, retain them so that if any issue occurs in near future, you can breeze through your operational data to analyse the root-cause, hence cross checking that the frequently occurring glitch is avoided. After all, time is money!

Network devices, servers, databases and applications generate huge amount of logs on a variety of events and processes. It can be a simple “All OK” log or about a security breach that is in progress. The key is to derive intelligence out of it i.e. knowing what needs to be monitored and managed and that too in real time. Having the right kind of tool that can process gazillions amount of data and give you real time alerts can prove to be a lifesaver in many scenarios.

With its latest release of 6.5, Motadata has raised the bar. With real time dashboards, now you can stay on top of security and  network/system operations by pulling intelligence out of the bulky data. Motadata has the ability to process log data of any format and from any source to identify threats, trends and help meet compliance standards such as PCI DSS, FISMA, HIPPA and more.

It always comes back to the same question – Is the glass half empty or half full?  Similarly, log management can be seen as a challenge or an opportunity. The challenge is managing large amount of data (structure and unstructured) and opportunity is to turn this data into an actionable insights.  Motadata is capable of processing any kind of data in any format.

Amazingly, it works really well with any custom log data coming from any source giving you unprecedented insights to complete IT infrastructure over a unified platform. Getting actionable context from log data has become a dire need of any IT company making log management tools the backbone of any organization.

All of us are aware of the fact that “What gets measured, gets managed”, Motadata has practically implemented scalability & flexibility in a single log management tool. Motadata 6.5 has centralized log aggregation which collects logs at a single repository hence making it scalable, on top of that it is flexible with distributed deployment as it is fully scalable/customizable as you grow in future thus serving you lowest TCO in the industry.

Let’s move your attention to four main drawbacks of log management in which Motadata has excelled in comparison to other tools:

  • Volume:  Log data is capable of occupying nearly terabytes of data per day in case of large organization. Just collecting, centralizing and storing data at this volume may turn out to be difficult whereas in Motadata 6.5 size no bar – No time limits on actual log data retention which implies “No cutting down on your crucial log data!” To be precise Motadata offers 85% compression on raw extracted data.

  • Normalization: Every computing device produces a log in a different format, a common output format is derived using normalization. Our log management tool can handle any log data of any format since it’s completely customizable according to your need.

  • Velocity: The speed at which logs are produced from systems can make collection and aggregation difficult. The speed unit that is being used is called EPS – Event Per second. Motadata has successfully processed 1+ Billion events analysed in less than 10 seconds on a single server along with that it can process 100k EPS in commodity 4-core server.

  • Veracity: Log events may not be accurate. This is particularly problematic for systems that carry out the activity of detection, such as intrusion detection systems. Motadata has correlated analytics i.e. metrics, flow and log management are correlated to each other, hence root cause detection and correction is just a click away which usually takes hours or days.

As the saying goes “Devil is in the details” so deriving intelligence and correlating log data from network (servers, routers, switches), applications, databases is very valuable to both NOC (Network Operations Center) and SOC (Security Operations Center) teams.

Here are few examples

  • How quickly can you root-cause performance degradation of an application server?

  • How quickly can you identify an unauthorized access or attack?

We firmly believe that log management is an integral part of IT and security operations.
Log management comprises of complete collection of log, aggregation, original (unhampered) log retention; log text analysis; presentation (mostly in the form of search and reporting); related workflow (notifications, alerts, corrective action) and content. With log management, the use cases are broad and cover every possible uses for log data across IT and even beyond.

They are quite a few differences between SIEM and Log Management. But the primary difference being SIEM focusing on security—the first word in “Security Information and Event Management”—and utilization of various IT information for security purposes. Meanwhile, log management is all about logs and across the board use of log data, both within as well as outside the security domain. With several use cases of log data, it is important for both NOC and SOC.

Let’s divert your attention to Monitoring or Analysis part, debugging or diagnosis of systems and apps when they crash, slow down or any kind of malfunction needs to be rectified in the nick of time. We understand the issues faced by most professionals in this field, thus we have incorporated key feature called “Root Cause Analysis”. Log data is necessary for forensic analysis of security events and for detection & countering of attacks before damage is done or preventing it from repeating again. It plays a key role in business analytics-Every detail starting from the number of transactions per hour to details on the value of individual transactions, every detail matters!

An intelligent log management tool unearths the events that were buried in those logs and brings them to the surface, especially if you want to set up connections between events recorded in different logs for related systems. From the security perspective, the importance is that attackers often exploit multiple vulnerabilities on separate but connected systems.

With current distributed applications, the challenge of troubleshooting more routine failures or slowdowns is not very different—normally the breakdown is the connection between two systems, in spite of just one or the other. The investigation may be initiated by looking at the web server. Checking the logs can help to show that the problem is really with the database server, or vice versa.

Assuming wrong will lead to loss of valuable time which is not only impacting productivity but also the overall business of your company. That’s why it’s important to find the root-cause of the problem as quickly as possible.

Extracting intelligence out of log data was no wonder an unrealizable task but Motadata made it possible. A system administrator would utilise Log Management software in along with other specialized software, like those used for monitoring networks, applications, and databases. The unique benefit of Motadata is its breadth and its unified approach (Integrated Monitoring & Log Management) —it can track activity from most type of systems (includes applications, devices, database etc.) and discover patterns that span over multiple systems.

Here are few examples of real-life use cases of Log Management that we are confident you can relate to

Operations

  • Software installs, updates, or configuration changes made just before a server or application failure. Cause and effect?
  • Top 10 error messages reported on the server over the past hour, day, or week.

Performance

  • Web application response time, broken out on a per-page or per web service basis
  • Virtual machines created, started, stopped, or moved, along with log data on the performance of the hypervisor regulating this activity.

Security/Access/Change Management

  • List of users who logged into the server most recently, either overall or at a specific access level, such as admin.
  • Audit trail of files accessed, added, or modified.
  • Inappropriate file or database access, such as someone from marketing attempting to access HR records.
  • File or database record permission changes.
  • Devices added to or removed from the network.
  • Active Directory® changes, including users or groups added, deleted, or modified.
  • Network traffic patterns and activity directed at specific server ports.
  • Connections permitted or denied by firewall rules.

Compliance

  • Events tracked in specific submission reports for regulatory/compliance needs, like PCI, HIPAA, SOX, and many others.

When problem occurs, the usual practice is to look into logs for any available insights but challenge is there are so many logs and all are dispersed unless they have been centralized.

Almost all information is recorded in some log. The challenge is how to find that information, usually scripts are written to extract that information. Motadata’s Log Management capability provides easy way to find information out of logs and correlating that information.

Motadata’s Log Management helps you sort through the noise embedded in log data and identify the events which are most significant. Motadata’s Log Management lets you to see what other events occurred immediately before or after and then put those series of events related to the problem together. Similarly, you can start your search with the IP address of the web server front end of a malfunctioning application.

Motadata’s Log Management also presents the log data from the associated systems such as the database back end. So even if you were certain at the outset, that the problem was on the web server, you would instantly check to see in case the database server was generating any sort of error messages, suggesting where you should continue your search for clues.

Here are two examples,

Example # 1

You would like to find out why your intranet went down during your CEO’s live-cast to all employees. Here is what you could find out by using Motadata’s Log Management and Network Monitoring software

  • Log Management – Change was made in firewall rule and that port was exposed to a new service
  • Networking Monitoring: A surge in web server’s CPU utilization, peaking at 99% and rebooting itself
Example # 2

From the security perspective, it is very important to get alerted on key events such as

  • Alert me when AD user is deleted
  • Alert me when AD user is created/modified
  • Alert me on DDoS attack on AD i.e. log-in failed for a specific user more than 5 times in last 10 seconds
  • Alert me when  unauthorized access attempted

A notification can be received when someone is abusing his or her access rights since AD log will capture access event with username and file names.

One should be proactive than being reactive, as we all know that “Prevention is better than cure”. It is important to detect the right issue at the right time but it is more important to get hold of the issue ahead of the time. Our software can be configured to detect important events, such as the shutdown of a critical system, and at the same time alert you immediately.

With our integrated “Remedy Actions”, you can also define rules that dictate actions to be performed automatically. For instance, Windows agents can be modified to restart applications that crash or freeze automatically. Other possible actions involve blocking of an access from a specified IP, shutting down a service, or deactivating a user account.

Now you must have realised that Log management does help IT department many ways – to react faster, become more proactive, improve security efficiency and compliance automation and most importantly it reduces operations support and cost.

What’s next? Discover it yourself. Try before you buy. We provide 30 days free trial period. After all problems can be solved once they are discovered. Don’t miss out since it’s just the tip of the iceberg!