Automated Log Management and Analysis using Splunk for Computer Incident Investigations
I define “Log Analysis” as a process of collecting system logs (syslog) and event data from computer systems, network devices and applications to look for anomalous events that are malicious or are in violation of organizational policies.
Many organizations spend thousands of dollars on equipment deployment, but ignore the system and event logs from those exact systems. Log analysis is one of the most overlooked aspects of operational computer and network security today.
Traditionally, security teams would use outdated methods and inefficient analysis techniques such as command lines and scripts to review log files. Furthermore, the security team has limited access to data, and when that data has to be collected from multiple locations and equipment to be analyzed, that often increases the amount of time necessary to produce a conclusion of an incident.
By introducing Splunk a search engine for log data that supports many log sources such as Apache access logs, mysql database logs, and any log in standard syslog format, we were able to be more productive in our log analysis.
Splunk comes in two versions, basic and professional. The basic version is free as long as you keep the data limited to 500MB a day while the professional version cost is dependant on the amount of data collected as well as some other neat features.
Splunk provides both real-time and historical visibility into all network, application, server and user activity to support investigations, alerting and reporting. It provides that bridge security and computer investigators need to do their jobs right.
For more information on Splunk and log management you can visit: