Log management comprehensive architecture in Security Operation Center (SOC)

Abstract

With the widespread use of information, variety of security logs have increased greatly, which due need for security log management. Organizations requirements have imposed to collect, store, and analyze tremendous volumes of log data across entire infrastructure for extended durations and at increasingly granular levels. It is the process of generating, transmitting, storing, analyzing, and disposing security log data from network to databases. Due to the wide variety of logs, storing comprises different methods. Recorded events in collection module are processed, normalized and classified. Logs are stored in storage module in order to use in forensic, reviewing, auditing and providing further necessities of correlation module. Routine log correlation analysis is beneficial for identifying security incidents, policy violations, fraudulent activities, troubleshooting and operational network problems. So log management is an important and efficient activity in network monitoring. Finding an effective log management functional architecture for network events analysis is the main goal of this paper. In this paper, we aim to suggest log management architecture with more common functions that are used by vendors. By studying logging architectures the main functions are administration of log collection, normalizing, categorization, queuing prioritizing and storing logged events/alarms by sensors. Log functions are different but the suitable architecture must justify the functions to send a normative, synchronized and prioritized log in an efficient way. The mentioned functions are gathered from SIEM products characteristics. Suggested architecture includes functions and activities in log collection server and storage server.