Zvýšení bezpečnosti nasazením SIEM systému v prostředí malého poskytovatele internetu / Security Enhancement Deploying SIEM in a Small ISP Environment

Bělousov, Petr

January 2019

Diplomová práce se zaměřuje na zvýšení bezpečnosti v prostředí malého poskytovatele internetu nasazením SIEM systému. Dostupné systémy jsou porovnány a zhodnoceny v souladu s požadavky zadávající firmy. Projekt nasazení systému SIEM je navržen, implementován a zhodnocen v souladu s unikátním prostředím firmy.

A structured approach to selecting the most suitable log management system for an organization

Kristiansson Herrera, Lucas

January 2020

With the advent of digitalization, a typical organization today will contain an ecosystem of servers, databases, and other components. These systems can produce large volumes of log data on a daily basis. By using a log management system (LMS) for collecting, structuring and analyzing these log events, an organization could benefit in their services. The primary intent with this thesis is to construct a decision model that will aid organizations in finding a LMS that most fit their needs. To construct such a model, a number of log management products are investigated that are both proprietary and open source. Furthermore, good practices of handling log data are investigated by reading various papers and books on the subject. The result is a decision model that can be used by an organization for preparing, implementing, maintaining and choosing a LMS. The decision model makes an attempt to quantify various properties such as product features, but the LMSs it suggests should mostly be seen as a decision basis. In order to make the decision model more comprehensive and usable, more products should be included in the model and other factors that could play a part in finding a suitable LMS should be investigated.

log management

log management system

splunk

elasticsearch

aws

Computer Sciences

Datavetenskap (datalogi)

[en] AN ARCHITECTURE FOR REAL TIME LOG EVENTS PROCESSING / [pt] UMA ARQUITETURA PARA PROCESSAMENTO DE EVENTOS DE LOG EM TEMPO REAL

RICARDO GOMES CLEMENTE

10 December 2008

[pt] Logs são, atualmente, riquíssima fonte de informação para administradores de sistemas e analistas de negócio. Em ambientes com grande volume de acesso e infra-estrutura de centenas de servidores, processar toda a informação gerada e correlacioná-la com o objetivo de identificar situações de interesse técnico e de negócio em tempo real, é considerado um grande desafio. Nesse sentido, são explicados tanto os conceitos relacionados aos arquivos de log e aos sistemas que se propõem a gerenciá-los, quanto os métodos e ferramentas de correlação de eventos em tempo real, para que, então, seja proposta uma arquitetura de sistema capaz de lidar com o desafio citado. Por fim, um protótipo é desenvolvido e uma prova de conceito baseada em um caso real de uso é realizada. / [en] Logs are, nowadays, a rich source of information for system administrators and business analysts. In environments with a high access volume and hundreds of servers, to process every generated information and correlate it, in order to identify interesting technical and business situations in real time, is considered a challenge. Considering that, concepts related to log files and systems that aim to manage it, besides methods and tools for real time event correlation are presented, in order to propose a system architecture capable of overcoming the stated challenge. At last, a prototype is developed and a concept prove based on a real case is done.

[pt] LOG

[en] LOG

[pt] SISTEMAS DE GERENCIAMENTO DE LOG

[en] LOG MANAGEMENT SYSTEMS

[pt] CORRELACAO DE EVENTOS

[en] EVENT CORRELATION

Investigation and Implementation of a Log Management and Analysis Framework for the Treatment Planning System RayStation

Norrby, Elias

January 2018

The purpose of this thesis is to investigate and implement a framework for log management and analysis tailored to the treatment planning system (TPS) RayStation. A TPS is a highly advanced software package used in radiation oncology clinics, and the complexity of the software makes writing robust code challenging. Although the product is tested rigorously during development, bugs are present in released software. The purpose of the the framework is to allow the RayStation development team insight into errors encountered in clinics by centralizing log file data recorded at clinics around the world. A framework based on the Elastic stack, a suite of open-source products, is proposed, addressing a set of known issues described as the access problem, the processing problem, and the analysis problem. Firstly, log files are stored locally on each machine running RayStation, some of which may not be connected to the Internet. Gaining access to the data is further complicated by legal frameworks such as HIPAA and GDPR that put constraints on how clinic data can be handled. The framework allows for access to the files while respecting these constraints. Secondly, log files are written in several different formats. The framework is flexible enough to process files of multiple different formats and consistently extracts relevant information. Thirdly, the framework offers comprehensive tools for analyzing the collected data. Deployed in-house on a set of 38 machines used by the RayStation development team, the framework was demonstrated to offer solutions to each of the listed problems.

Elastic stack

Elasticsearch

Logstash

Kibana

Filebeat

Log management

Structured logging

Software Engineering

Programvaruteknik

Logghantering : En undersökning av logghantering och logghanteringssystem

Flodin, Anton

January 2016

This research includes a review of the log management of the company Telia. The research has also included a comparison of the two log management sys- tems Splunk and ELK. The review of the company’s log management shows that log messages are being stored in files on a hard drive that can be accessed through the network. The log messages are system-specific. ELK is able to fetch log messages of different formats simultaneously, but this feature is not possible in Splunk where the process of uploading log messages has to be re- peated for log messages that have different formats. Both systems store log messages through a file system on a hard drive, where the systems are installed. In networks that involve multiple servers, ELK is distributing the log messages between the servers. Thus, the workload to perform searches and storing large amounts of data is reduced. Using Splunk in networks can also reduce the workload. This is done by using forwarders that send the log messages to one or multiple central servers which stores the messages. Searches of log messages in Splunk are performed by using a graphical interface. Searches in ELK is done by using a REST-API which can be used by external systems as well, to retrieve search results. Splunk also has a REST-API that can be used by external sys- tems to receive search results. The research revealed that ELK had a lower search time than Splunk. However, no method was found that could be used to measure the indexing time of ELK, which meant that no comparison could be made with respect to the indexing time for Splunk. For future work there should be an investigation whether there is any possibility to measure the indexing time of ELK. Another recommendation is to include more log management sys- tem in the research to improve the results that may be suitable candidates for the company Telia. An improvement suggestion as well, is to do performance tests in a network with multiple servers and thereby draw conclusions how the performance is in practice. / Denna undersökning har innefattat en granskning av logghanteringen som exi- sterar hos företaget Telia och en jämförelse av två logghanteringssystem: Splunk och ELK. Undersökningen visar att loggmeddelanden hos företaget har olika format och lagras i filer på en hårddisk som nås genom nätverket. Både ELK och Splunk kan hantera loggmeddelanden med olika format. ELK kan läsa in loggmeddelanden av olika format samtidigt, men detta är inte möjligt i Splunk då inläsningsprocessen måste repeteras för loggmeddelanden som har olika format. Båda systemen lagrar loggmeddelanden genom ett filsystem på en servers hårddisk där systemen är installerad. I nätverk som involverar flera servrar arbetar ELK distributivt genom att distribuera loggmeddelanden mellan dessa servrar. Följder av distribuering av loggmeddelanden ger en lägre arbets- börda för varje server i nätverket. I nätverk där Splunk används kan forwarders användas som skickar vidare loggmeddelanden till en eller flera central server som lagrar loggmeddelanden, därmed kan arbetsbördan för sökningar och in- dexering av data minskas. Sökningar av loggmeddelanden i Splunk utförs ge- nom att använda ett grafiskt gränssnitt. Sökningar i ELK sker genom att använ- da ett REST-API som finns i systemet som även används av externa system för att hämta sökresultat. Splunk har också ett REST-API inkluderat som kan an- vändas för att exportera sökresultat. Undersökningen visade att ELK hade en lägre söktid än Splunk. För undersökningen fanns ingen metod att använda för att mäta indexeringstiden för ELK vilket innebar att ingen jämförelse kunde gö- ras med avseende på indexeringstid. För framtida arbete rekommenderas bland annat att undersöka om det finns någon möjlighet att mäta indexeringstiden för ELK. En annan rekommendation är att låta fler logghanteringssystem ingå i un- dersökningen för att förbättra resultatet som kan vara lämpliga kandidater för företaget Telia. Ett förbättringsförslag är att utföra prestandatester för ett nät- verk med flera servrar för att därmed dra slutsatser för hur prestandan är i praktiken.

Log

log management

Splunk

ELK

Telia

Logg

logghantering

Splunk

ELK

Telia

Software Engineering

Programvaruteknik

A comparative analysis of log management solutions: ELK stack versus PLG stack

Eriksson, Joakim, Karavek, Anawil

January 2023

Managing and analyzing large volumes of logs can be challenging, and a log management solution can effectively address this issue. However, selecting the right log management solution can be a daunting task, considering various factors such as desired features and the solution's efficiency in terms of storage and resource usage. This thesis addressed the problem of choosing between two log management solutions: ELK and PLG. We compared their tailing agents, log storage and visualization capabilities to provide an analysis of their pros and cons. To compare the two log management solutions we conducted two types of evaluations: performance and functional evaluation. Together these two evaluations provide a comprehensive picture of each tool's capabilities. The study found that PLG is more resource-efficient in terms of CPU and memory compared to ELK, and requires less disk space to store logs. ELK, however, performs better in terms of query request time. ELK has a more user-friendly interface and requires minimal configuration, while PLG requires more configuration but provides more control for experienced users. With this study, we hope to provide organizations and individuals with a summary of the pros and cons of ELK and PLG that can help when choosing a log management solution.

ELK

PLG

Log management

Elasticsearch

Logstash

Kibana

Promtail

Loki

Grafana

Computer Sciences

Datavetenskap (datalogi)

Logghantering med mjukvara

Schulze, Henrik, Brandberg, Fredrik

January 2016

Abstract By applying principles of conducting design science research, we have developed eight guide-lines for log management. By comparing with the literature on log management, we haveinvestigated the quality and relevance of the guidelines. We also investigated whether six of theeight guidelines are relevant in the sense that they can be supported by software. / Sammanfattning Genom att tillämpa principer för att bedriva forskning i design science, har vi tagit fram åttariktlinjer för en hantering av loggar. Genom jämförelse med litteratur om logghantering har viundersökt kvalitet och relevans hos riktlinjerna. Vi har även undersökt om sex av de åttariktlinjerna är relevanta i den meningen att mjukvara kan stödja dem.

Centralized Logging

Design Science

Log Management

Splunk

Splunk Enterprise

Splunk Web

splunkd.

Architecture and design requirements forEnterprise Security Monitoring Platform : Addressing security monitoring challenges in the financial services industry

Wierzbieniec, Gabriel

January 2018

Security Monitoring Platform (SMP) represents multiple detective controls applied inthe enterprise to protect against cyberattacks. Building SMP is a challenging task, as itconsists of multiple systems that require integration. This paper introduces a framework thatcompiles various aspects of Security Monitoring and presents respective requirements sets.SMP framework provides guidance for establishing a risk-based detection platform,augmented with automation, threat intelligence and analytics capabilities. It provides morebroad view on the problem of Security Monitoring in the enterprise context and can assist inthe platform creation. The proposed solution has been built using Design Science ResearchMethodology and contains of twenty requirements for building SMP. Expert evaluation andcomparison with similar frameworks show potential value in holistic approach to the problem,as well as indicate the need for further research.

Security Monitoring

SIEM

Log Management

SOC

Threat Intelligence

Security Analytics

Annan elektroteknik och elektronik

Centralized log management for complex computer networks

Hanikat, Marcus

January 2018

In modern computer networks log messages produced on different devices throughout the network is collected and analyzed. The data from these log messages gives the network administrators an overview of the networks operation, allows them to detect problems with the network and block security breaches. In this thesis several different centralized log management systems are analyzed and evaluated to see if they match the requirements for security, performance and cost which was established. These requirements are designed to meet the stakeholder’s requirements of log management and allow for scaling along with the growth of their network. To prove that the selected system meets the requirements, a small-scale implementation of the system will be created as a “proof of concept”. The conclusion reached was that the best solution for the centralized log management system was the ELK Stack system which is based upon the three open source software Elasticsearch, Logstash and Kibana. In the small-scale implementation of the ELK Stack system it was shown that it meets all the requirements placed on the system. The goal of this thesis is to help develop a greater understanding of some well-known centralized log management systems and why the usage of them is important for computer networks. This will be done by describing, comparing and evaluating some of the functionalities of the selected centralized log management systems. This thesis will also be able to provide people and entities with guidance and recommendations for the choice and implementation of a centralized log management system. / I moderna datornätverk så produceras loggar på olika enheter i nätverket för att sedan samlas in och analyseras. Den data som finns i dessa loggar hjälper nätverksadministratörerna att få en överblick av hur nätverket fungerar, tillåter dem att upptäcka problem i nätverket samt blockera säkerhetshål. I detta projekt så analyseras flertalet relevanta system för centraliserad loggning utifrån de krav för säkerhet, prestanda och kostnad som är uppsatta. Dessa krav är uppsatta för att möta intressentens krav på loghantering och även tillåta för skalning jämsides med tillväxten av deras nätverk. För att bevisa att det valda systemet även fyller de uppsatta kraven så upprättades även en småskalig implementation av det valda systemet som ett ”proof of concept”. Slutsatsen som drogs var att det bästa centraliserade loggningssystemet utifrån de krav som ställs var ELK Stack som är baserat på tre olika mjukvarusystem med öppen källkod som heter Elasticsearch, Logstash och Kibana. I den småskaliga implementationen av detta system så påvisades även att det valda loggningssystemet uppnår samtliga krav som ställdes på systemet. Målet med detta projekt är att hjälpa till att utveckla kunskapen kring några välkända system för centraliserad loggning och varför användning av dessa är av stor betydelse för datornätverk. Detta kommer att göras genom att beskriva, jämföra och utvärdera de utvalda systemen för centraliserad loggning. Projektet kan även att hjälpa personer och organisationer med vägledning och rekommendationer inför val och implementation av ett centraliserat loggningssystem.

Computer and Information Sciences

Data- och informationsvetenskap

Návrh informačního systému / Information System Design

Hraško, Branislav

January 2020

This diploma thesis evaluates the current state of a product developed by a company Kentico software s. r. o. called Kentico Kontent. Based on the analysis of the organization and the product is realized a proposal of a log management system designed for customers of the company which is currently not implemented in Kentico Kontent.