In cyber world, logging is fundamental to track electronic activities for problem shooting or digital forensics.
With device proliferation especially in the IoT domain, substantial logging volume is generated making log review a hard time.
The SIEM (Security Information Event Management) technology has surfaced to relax this tedious task. It consolidates and associates event logs and picks out “interesting” scenarios for automated action or human alert.
The challenges are:
- What types (or level, e.g. brief, detail, info, warning, critical) of logging are available and required: platform, infrastructure, application …
- Context of log data: time of day, time zone, IP address, user identities, machine names, machine address …
- How to ships the logs from different network zones to the central SIEM without breaking network zoning
- Clock source to sync across all these network zones
- Algorithm of event correlation (human define or machine learning)
- Criteria to automate alert with confidence (false negative or false positive will ruin the trust)
- Most importantly, logging must comply with relevant regulations, provide transparency to the affected users or customers how these log data are used, retained, disposed