This post explains the concept of log management and provides
Description of Log Management
A log is a registry produced by a device or application about its internal use.
Logs are helpful for debugging or monitoring IT security.
Log management is an important part of cybersecurity, and it is used in IT security operations and incident response.
Log Management Standards
Log management standards:
- NIST SP 800-92
NIST SP 800-92
NIST SP 800-92 is a document published by NIST that addresses log management. It has the title “Guide to computer log management”.
NIST SP 800-92 official website
Log Management Libraries
Log management libraries:
- Log4J
Log4J is a log management library for Java.
Log Management Tools
Log management tools could be also considered SIEMs. There is not a clear definition between them.
Log management tools featured on this post:
- ElasticSearch
- LogStash
- Beats
- Kibana
- OpenSearch
- Logging Made Easy (LME)
Elastic Stack identifies the combination of the FOSS technologies ElasticSearch, Logstash, Beats and Kibana, that are often used together. All of them are developed by Elastic.
It was previously known as ELK Stack, being ELK an acronym of ElasticSearch, Logstash and Kibana.
ElasticSearch
ElasticSearch is developed by American-Dutch company Elastic.
It is source-available software.
LogStash
LogStash is developed by American-Dutch company Elastic.
It is source-available software.
Beats
Beats is developed by American-Dutch company Elastic.
It is source-available software.
OpenSearch
OpenSearch is a fork of ElasticSearch 7.10.2 and Kibana 7.10.2. The project was created after Elastic started to release the source code under a dual-license Elastic License and SSPL instead of Apache 2.0.
It is developed by American company AWS, part of Amazon.
It is free and open source software (FOSS).
Graylog
Graylog offers the Graylog Open (that is source available) and Graylog Enterprise, that is proprietary.
Logging Made Easy (LME)
Loggin Made Easy (LME) is a solution by CISA.
It is free and open source software (FOSS).
Apache Flume
Apache Flume is a tool to move large amounts of log data.
SIEM and SOAR
Security Information and Event Management (SIEM) is a subset of log management.
A Security Information and Event Manager (SIEM) is a tool that aggregates and correlates logs from different applications and systems, look for security events and send alerts.
A forwarder is a service within an endpoint generating logs that sends them to a SIEM.
You can find a list of SIEM solutions on this post.
A security orchestration, automation and response (SOAR) system is a stack of compatible software programs that enables an organization to collect data about security threats and respond to security events with little or no human assistance by providing automatic playbook responses.
List of SOAR solutions.
Data Visualization
Data visualization tools are frequently coupled with log management tools, as they allow to create dashboard for system monitoring.
You can find a post about data visualization tools.