Log correlation

Log correlation is the collecting, correlating, and reporting on security events from critical data assets in a network in real time, to detect unusual or unauthorized activities. Most system administrators call log correlation Audit Trails Even ManagementItalic Text, where audit trails contain every action from one point in time to another, an event is a recorded single action, and a log is a collection of actions.

  • Logs vary greatly from system to system, and even from version to version for the same system, and from time to time.
  • Some logs are written in plain language that a human can easily understand, while others produce some cryptic system code. Logs need to be “normalised”.
  • Logs look through siloed lenses (a network IDS has seen packets and streams, an application log has seen sessions, users and requests).
  • Logs record static, fixed points in time, without the full context of sequence of related events.

Two types of log correlation:

  • Passive intrusion detection is for post-attack detection and rebuilding the attack and usually requires manually reviewing event and application logs.
  • Active intrusion detection is for detecting attacks as they take place and involves following what is happening and looking for known attack patterns and commands.