Log Management. Event Monitoring. Log Analysis & Reporting. Forensic Readiness.

Assuria Log Manager (ALM) has achieved CESG CCTM approval and securely collects and manages audit logs to comply with regulations. The small footprint ALM agents are available for Windows, UNIX and Linux servers, databases, applications, network devices, firewalls, routers, access control systems and many more. Collection from new log sources can be added via agent plug-ins. Collected logs are stored in their original format in a standard file / folder structure with log data integrity ensured through digital signatures and cryptographic hashes.

Operating systems, system software and applications have for many years had features to write audit logs to record events, data or actions taken.   The benefits of using log data are well known to IT professionals who have used the information contained in logs for diagnostics and to verify actions taken by software, often as the first steps in problem identification.

Today such audit logs have attained a much higher level of importance; this is driven by several factors including policy compliance requirements.  Organisations of all sizes and in both the public and private sector are increasingly required to be in compliance with an increasing number of legislative and industry regulations and standards. The requirements are driving organisations to seek tools to assist and automate their log management and compliance processes. 

Uses for collected logs and log data can vary from near real-time collection and in-memory correlation of network traffic, through near real-time alerting / host based intrusion detection, regulatory compliance reporting, problem identification and resolution to incident response and forensic analysis.

Enquire about this product

Assuria Log Manager (ALM) Key Features

• Enterprise Wide Log Collection. Secure and forensically sound collection of logs into a central store.
• Log Management. Enterprise wide automated log management, including log rotation. 
• Forensic Readiness. Logs are collected in a secure and forensically sound manner, retaining their original form and complete with relevant meta data, thus allowing repeated examination with new analysis rules and use of the logs by other applications and processes.
• Real-time Event Alerting. Configurable to specific log events, sent via Email and/or SNMP.
• Agent Based Collection. Ensures the security, continuity and integrity of all collected logs.
• Digitally Signed. An RSA/SHA256 digital signature is calculated and the log digitally signed before transfer. Transfer is authenticated and encrypted using TLS.
• Secure Storage. Log cataloguing, chain of custody records, archive creation and management.
• Archive. To secure long term storage, complete with a digitally-signed manifest. 
• Scalable and Modular Architecture. Designed to support almost any sized IT environment up to thousands of log sources. Supports multiple collection points, with load balancing and resilience built-in.
• Analysis. Collected logs are processed by a rules-driven analysis and anomaly detection engine. Flexible and extensible analysis rules allow ‘interesting’ events to be tagged and written to a database for further analysis and reporting.
• Unstructured Querying.  ALM provides facilities to analyse and report on stored log data, in effect allowing unstructured ‘Google’ type searches on any item, providing effective interactive analysis and learning features, often leading to new analysis rules and reporting.
• Reporting. Flexible analysis, correlation, aggregation and reporting in HTML, PDF, XLS, XML and CSV.
• Data Export. Export of collected log data to external systems in various forms – raw logs, form normalised or content normalised.

Architecture Components

• Log Manager Agent: Monitors and collects logs and securely transfers to the Collector. The Agent can optionally sign each log.
• Log Manager Alerter: An optional near real-time alerter, integrated with the Log Manager agent, that can be configured to generate alerts when specific events are detected in monitored logs.
• Log Manager Collector: Receives logs from Agents and transfers the log to the Log Store. Validates received logs and can optionally sign each log. Logs are indexed as they are collected and stored.
• Log Store: A file structure used to store collected logs, metadata and ALM configuration and report data.
• Log Manager Database: holds information about tagged ‘Interesting Events’, Agents, Logs and Agent policies.
• Log Data Analyser: Analyses logs, tagging those with interesting events as defined in a set of ‘Content Packs’.  The analysis results are stored in the database for reporting and display.

• Log Data Archiver:  Manages the archiving of selected sets of logs based on flexible criteria. Allows tracking of archives on secondary and  removable media.
• Log Data Reporter:  Provides a flexible report generation system based on database queries and employing XML/XSL technologies to produce reports in HTML, TEXT or PDF.
• Log Manager Console: A GUI to manage Agents and policies; provides the interface to the reporting and archiving functionality.
• Log Manager Content pack: ‘Content Packs’ are used to define log format, content and rules for event identification and tagging.  A ‘Content Pack’ is required for each type/format of log.

Resilient configuration

Assuria Log Manager is a modular system and can be configured in a number of ways in order to meet user requirements for high availability and / or resilience of volume / capacity.

Multiple collectors can be configured and agents configured so that they can use whichever Collector is available with Load Balancing.

The Store and Database can, where required, be replicated using replication functionality native to the store or database. If required multiple agents can be installed on a single log source system though each agent must handle its own unique set of logs.

ALM Log Sources

Just simply looking at a list of the type of logs that can be supported by ALM, there is a wide range of log sources that are supported out of the box, including those listed below (note - this is just a sample list - please contact Assuria for the full list of supported log sources):  

Please note that the list of supported log types is growing rapidly through new customer implementations, so please ask for the latest list. However, ALM's architecture also means that almost any log type can be fully supported, even custom application logs, so please let us know what your log management needs are! 

Syslog the untrusted standard

Assuria have created a whitepaper that outlines the significant drawbacks to using syslog due to it's lack of data integrity both in it's format and protocol. The whitepaper explains how Assuria can help secure the original standards but highly recommends avoiding syslog if possible in favour of the vendors own log mechanisms.

Download In Syslog we trust Whitepaper

Assuria ALM CCTM

• Product Name: Assuria Log Manager 
• Vendor Name: Assuria Ltd
• Models/Version: 4
• CCTM Awarded Date: 28th October 2011
• CCTM Valid Until Date: 27th October 2012
• CCTM Certificate Number: 2011/10/0102

Compliance Standard

Requirement 10 Track and monitor all access to network resources and cardholder data

GCSX No 13 Protective Monitoring

A.10.10 Monitoring

Logs have become essential to demonstrate compliance to regulations and standards.

Uses for log data in addition to regulatory compliance include:

• Incident response and investigation
• Forensic analysis
• Problem identification and resolution
• Network traffic monitoring (near Real time) and anomaly detection
• Operations and Service Level monitoring
• Marketing analysis

Today’s operating systems, applications and network devices, including Windows and LINUX / UNIX, can produce vast amounts of audit data within their logs. There are few tools available today to provide for reliable management of this log data.

Assuria Log Manager Report on Count of Notable Events and Login Failures

Download Assuria Log Manager Datasheet

Computer Security Log Management