As you dig deeper into the topic of log collection and SIEM, you might come across some IT terminology or acronyms you haven’t encountered before. In this article, we are going to enumerate and explain the most commonly used IT expressions in the fields of IT security and log collection, in order to make your research easier.
1. Agent: A computer program deployed on a device that will perform a certain set of tasks based on instructions set on the agent software, either from a template or based on a unique configuration file, as to how logs will be collected on that device.
2. Agent-based log collection: A mode of log collection in which an agent is installed on each device, which then collects, parses and forwards logs to the log collection server. The agent also converts the logs into the required format before forwarding.
3. Agent-less log collection: A mode of log collection in which the source of the log events (a host, client, device, etc.) forwards the logs directly to a remote log collection host without using an agent. There are cases when agent-based log collection is not feasible, usually due to technical, administrative, or compliance reasons.
4. Audit log: A type of log that contain a non-repudiable record of IT system events. It contains information that is compliant from an auditing standpoint - such as the destination, source address, and timestamp.
5. CEF (Common Event Format): A text-based log format developed by ArcSight™ that contributes to the interoperability of security information gathered from different security and network applications or devices. CEF ensures that logs are in a standardized format which makes analysis easier and faster.
6. CSV (Comma-separated values): A data format which uses commas as a delimiter to separate data values. It is mostly used to store numbers and text in plain text format.
7. Data sources: Applications, devices, hosts, or systems within an enterprise infrastructure that generate event and incident logs, which can be sent to a SIEM or Log Management suite for processing and analysis.
8. DNS logging: Capturing one or more types of events generated either by DNS servers or the queries sent by DNS clients to a DNS server. Attackers use DNS for many malicious activities, like data theft, DoS, or Command and Control attacks. DNS monitoring is crucial to revealing the onset of such attacks so that they can be thwarted before any damage is done.
9. Endpoint security application: An application that secures devices used by workers within an enterprise, such as laptops or desktops, which can be possible points of entry for malevolent attackers and exploiters. Logs generated by these applications include anti-virus logs.
10. EPS (Events Per Second): The standard unit of measurement for log processing rate: how many events an application can process in one second. Most SIEM tools' pricing depends on EPS capacity requirement.
11. ETW (Event Tracing for Windows): A kernel-level mechanism in Microsoft Windows that enables the recording of kernel or application-defined events with a high level of efficiency. It can be used to trace the activities of attackers and output into log files.
12. Event Correlation: The process of data analysis based on predetermined rules. It uses logs collected from applications, hosts or other agents, then identifies relationships based on a set of criteria.
13. GELF (Graylog Extended Log Format): A JSON based format popularized by Graylog, it contains structured log data so that the fields are already available for analysis. A great format for logging on Graylog2 or GELF compliant tools.
15. Kernel log: A set of detailed information a devices logs from boot-time about hardware drivers, kernel status, and other kernel events on the system.
16. KVP (Key-Value Pairs): Also called "name-value pairs", this is what enables log messages to hold structured data that is easily read and processed by humans and machines.
17. LEEF (Log Event Extended Format): A log format used by IBM Security QRadar products. It describes an event using key-value pairs, and provides a list of predefined event attributes. It has a customized event format with UTF-8 character encoding.
18. Log centralization: The process of collecting log data from multiple log sources and sending them to a central and accessible log collection system, in order to manage them in a transparent and unified interface.
19. Log normalization: The process of grouping and formatting all log entries generated by different devices or systems into a unified structure, which can be accepted by the SIEM software for analysis.
20. Log parsing: The process of extracting relevant data from the value field of a log. The value field can be the raw message itself or other attribute.
21. MSSP (Managed Security Service Provider): A third-party that provides security monitoring and management solutions for clients, such as intrusion detection, vulnerability scanning or anti-viral processes.
22. Multi-line logs: A type of log that uses multiple lines for storing each event record. A typical example of this is a stack trace log, which starts with a timestamp followed by an error message and finally the stack trace. These logs yield highly important information for debugging and troubleshooting.
23. NetFlow data: Data collected by NetFlow, a Cisco network protocol designed to log and monitor IP traffic. Using Netflow data, one can analyze the source, destination, and volume of IP traffic.
24. Open Source: Software which has its source code open to the public, so that developers can modify and adapt it to their specific needs. Moreover, the distribution of the entire software package or any of its components is not restricted by any party.
25. SCCM (System Center Configuration Manager): A suite available on Windows systems that enables administrators to remotely manage applications on a large number of Windows-based computers. This is especially useful in an enterprise environment for deploying upgrades or new software to Windows workstations and servers.
26. SEM (Security Event Management): A computer security discipline with the purpose of storing and interpreting events and logs on a network. It uses real-time monitoring and event correlation to inspect all recorded data.
27. SIM (Security Information Management): A computer security discipline that aims to collect log files into a centralized repository for long-term analysis.
28. SIEM (Security Information and Event Management): IT security solutions that analyze security logs arriving from endpoint data sources. They generate alerts for SOC teams about potential issues, and can generate security reports for compliance purposes.
29. SNMP (Simple Network Management Protocol): An Internet Standard Protocol that is used for network monitoring. It is commonly used to collect and organize security logs and events arriving from managed devices on IP networks. It can also be used to modify information in order to alter device behavior.
30. SOC (Security Operations Center): A facility where IT security teams work, whose responsibility is to monitor and analyze an enterprise’s security 24/7. Their job is to detect, measure and solve security incidents.
31. Structured logging: The act of structuring unstructured data to facilitate analysis and log parsing. Commonly used formats are JSON, CSV, XML, or KVP, among others.
32. Syslog: An IT standard for message and event logging. It can be used by any application or device to report on its status, incidents, and diagnostics to a logging server. It is commonly used by network equipment, like routers, switches, and Unix systems.
33. TCP (Transmission Control Protocol): An Internet Protocol computers use to communicate with each other. It provides reliable, ordered, and error-checked delivery of a stream of octets (bytes) between applications.
34. TLS (Transport Layer Security) / SSL (Secure Sockets Layer): Internet protocols that ensure secure communication over a computer network. They use cryptography to encrypt the data that is transmitted.
35. UEBA (User and Entity Behavior Analytics): A cybersecurity practice that utilizes event logs to learn from the behavior of users or networks to create models based on them. Using these models, it is easier to recognize malicious activity or signs of a cyberattack.
36. UDP (User Datagram Protocol): An Internet Protocol used by computers to send messages and data to each other. It does not establish a formal connection before sending data, and is therefore not reliable and packets may be lost.
37. Vendor-neutral: A design approach, not allowing a single vendor to control or dictate specifications, definitions, or distribution of a given technology. Being vendor-neutral equates to broad compatibility and interchangeability of tools and technologies. Vendor-neutrality enables easier integration and seamless processes that are important when integrating log collection across different endpoints.
38. W3C Extended Log File Format: An ASCII log format with permits for customized log fields allowing to include only relevant fields and omitting unwanted fields. The format is readable by generic analysis tools.
39. WEC (Windows Event Collector): An agent-less solution to collect events from Windows computers. In this process, a Windows server acts as the "collector" and the other computers send the required events to it.
40. WEF (Windows Event Forwarding): A native Windows service that provides event forwarding capabilities. It reads the operational and administrative Windows Event Logs generated by a chosen device and forwards the necessary logs to a WEC (Windows Event Collector).
41. Windows Event ID: Information about each event is stored in the Windows Event Log in an event log record. A sequence of numbers, called the RecordNumber, refers this type of event known as Event IDs. These are unique per source but are not globally unique. The same ID may be used by different sources to identify unrelated occurrences.
42. WMI (Windows Management Instrumentation): An operating system interface, in which security components provide a notification. It provides an infrastructure for managing remote systems and providing management data. WMI event logs can be collected via Windows Event Log or ETW.
Now that you are aware of the most commonly used terms when talking about log collection, log analysis, and IT security, you can continue your research and delve deeper into these topics. We hope this glossary will eventually help you find solutions and answers to your security log management issues and questions.