Event Log Correlation

Event Correlation
Correlation is a term being used more and more frequently in the security world. Overwhelmed by the volume of data collected from computer systems, routers, and other network devices, administrators increasingly appreciate tools that can paint a larger picture of what happened across the network at a particular point in time. This sort of picture can become extremely useful when examining the forensics behind a security breach or a virus outbreak.



Same-platform correlation
Same-platform correlation is useful for organizations that primarily run one operating system throughout their network. For example, companies that run Microsoft network operating systems like Microsoft Windows 2000, may want to collect event log entries from all of their various servers, so they can do trend analysis across different systems. In this example, event log correlation could show the first computer that was infected with a network-propagating virus, and how the virus spread throughout the network.



Cross-platform correlation
In organizations with larger networks, many different operating systems and network hardware platforms may coexist alongside one another. For example, client desktops may run Windows 2000 Professional, yet use a Linux-based firewall and email gateway, which in turn utilizes a Cisco router to send and receive traffic from the Internet. In this case, a more effective event log correlation solution may be one that can consolidate and monitor log entries from several different systems, such as Microsoft Windows event logs and syslog messages forwarded from the Linux machines and Cisco routers. An example illustrating the power of a correlation product in this scenario could be an attempted security breach. For example, logon attempts from both the Linux- based firewall system and from Windows 2000 desktop clients could be forwarded to a central computer capable of processing incoming syslog packets and Windows event log entries. If a hacker breached the firewall and attempted to access a desktop machine, a logon audit trail would be available at the central system monitoring the different types of messages.



Recommendations
At a bare minimum, organizations should deploy an event log correlation system that matches the platform utilized by the majority of systems on the network. If budgets and resources permit, opting for a cross-platform capable log correlation system can paint a much richer picture of activity occurring on many different levels of the network.