CorreLog, Inc.   Solutions   Products   Download   Partners   News   Support   About Login

Solutions > Federal And Large Enterprise Solutions - FAQs

Correlog has special capability working with Federal (and other) large enterprises. Our technology operates either independently of, or alongside, other technology to improve threat management and incident response capabilities. This functionality includes the ability to interoperate with virtually any previously installed similar products or other solutions executing on Windows or UNIX-based systems.


CorreLog's Anomaly and Auditing Extraction Module (AAEM) software solution provides the immediate flexibility to complement technologies that may have been previously deployed U.S. Government environments, such as ArcSight, McAfee ePO, or HP Openview. Moreover, CorreLog offers a wide range of deployment options, including multi-tiered and/or highly centralized or decentralized environments, or any combination thereof.

Correlog offers data security managers a rapid and scalable solution to accommodate virtually any iteration and combination of environment architectures or existing solutions or applications. In sum, Correlog's COTS software offers an existing and immediate approach to address the risk of inadequate or cumbersome threat detection and management, thereby avoiding costly, untested, or unnecessary delays associated with designing to-be- developed solutions.

CorreLog can consolidate data from multiple sources to enable the mining, discovery, correlation, and analytics needed to visualize actionable information. This capability is critical to the presentation of Common Operating Picture and Situation Awareness.

Government DoD & Civilian Customers: Please contact CorreLog directly for information pertaining to CorreLog's products developed to meet unique U.S. Government needs, such as the detection of insider threats.

What is the message capacity of CorreLog?
CorreLog operates in a stand-alone or distributed environment. Each copy of CorreLog can receive messages from 9999 data sources CorreLog stores collected data for a maximum of 5000 days. In a distributed environment, CorreLog can act as an agent and feed messages to a higher-level copy of CorreLog (or some other collector.) In this case, CorreLog is scalable by X10000. In practice, a two- tier system can handle in excess of 3 million devices, and message rates exceeding 1 million events per second across an enterprise.

What specific firewalls, routers, mainframes, UNIX operating systems can be managed?

CorreLog is a standards-based system that collects log data using a combination of syslog, and SNMP, as well as various optional adapters and agents to gather log data. View list.

CorreLog operates with all versions of Windows X86 based systems (including Windows 2003, 2008, Windows 7, Vista, and XP), and all devices that support syslog and SNMP, including Cisco, Juniper, all UNIX and Linux platforms, Sonic Wall, Checkpoint, and many other devices.

CorreLog does not require an agent to manage UNIX platforms, and uses the native syslog and SNMP capability of these programs. However, CorreLog also includes specialized agents, log file monitors, and file integrity monitors that execute on Linux, Solaris, AIX, and HPUX systems. (These agents can be used to extend the range of monitoring to include arbitrary streaming log files and application programs.)

CorreLog can receive messages from Windows event logs (via either WMI or the CorreLog windows agent). CorreLog can also receive data from application programs executing on Windows or UNIX based systems, including Apache servers, IIS servers, McAfee ePO, and any other application that produces a streaming log file.

Finally, CorreLog supports an MVS Z/OS Mainframe Agent that monitors SMF and RACF messages on mainframe LPARS.

What other environments are available for management? (Example, printers?)
CorreLog has several adapters that can poll data from many different devices in addition to receiving syslog and SNMP traps. This includes an SNMP monitor that can extend the range of CorreLog to poll network printers, routers, switches, wireless devices, relational databases, DHCP servers, and other SNMP capable equipment.

CorreLog has a POP3 adapter that permits messages mailed from any system to be treated as standard messages, permitting CorreLog to interoperate with any e-mail sending program (such as a trouble-ticketing system.)

CorreLog includes a "File Transfer Queue" that allows any file copied to a particular folder to be read by CorreLog, useful for managing systems that may generate log files, but which have no other management capability other than FTP or HTTP. Information on CorreLog adapters can be found here...

What is the numerical limitation to quantity of correlated messages from firewalls, routers, and mainframes?
Each copy of CorreLog can collect, search, correlate, archive, and report on up to 20 Gbytes worth of data daily. A single system supports up to 2000 different real-time correlation rules.

The maximum number of events per second is typically 2500 to 5000 messages per second per copy of CorreLog. In a two-tier management strategy, the user can scale upwards to a maximum of 10,000 CorreLog implementations, each managing 1 million devices and 1 million users (2500 to 5000 messages per second).

What is the architecture for deployment?
CorreLog can be configured to operate as a distributed system, where each copy of the program collects data from a group of devices (up to 1 million devices per copy.) CorreLog stores the data locally, or on a remote disk. CorreLog can correlate the data, detect anomalies or exceptions, and forward this information to a higher copy of CorreLog, with possible failover capability. Using this two-tier architecture, CorreLog can manage millions of devices and millions of messages per second.

CorreLog has specific elements to support its role as a distributed enterprise management system as follows (1) CorreLog runs on a wide selection of Windows operating systems, and can co-exist with other server applications on a node (2) CorreLog is easily installed, does not require the target system to be rebooted, and can be installed using MSI files (3) CorreLog includes optional encrypted TCP tunneling processes to securely and reliably send data over long distances, including secure transmission across a public network (4) CorreLog includes an SNMP agent that permits a network manager to obtain status on many different installations using a standards-based protocol (5) CorreLog includes a distributed search capability, which can launch simultaneous searches on multiple copies of CorreLog (6) CorreLog is entirely web-based and relies on no console for all configuration activities (7) CorreLog can be remotely distributed and configured from a centralized location using secure SNMP or HTTPS.

CorreLog can be configured to require the “two-man” rule for any solution modifications or configuration changes.

What are the deployment limitations? (Can CorreLog execute in virtualized environments?)
CorreLog is not an appliance, and is a software-only solution. The program does not require a database, but can make use of an ODBC compliant database if available. CorreLog does not require Java or .NET to fully execute, and requires no third-party software.

The CorreLog server software executes on Windows 2003, 2008, XP, Vista, and Windows 7 systems. Depending upon the message throughput, CorreLog can usually co-exist with other applications. CorreLog runs in a Virtual Machine with no adaptation required.

General information on CorreLog site requirements, along with Frequently Asked Questions regarding CorreLog deployment, can be found here...

How Many Devices Can CorreLog Support?
CorreLog can support millions of nodes (or more) in a distributed system. This would require a minimum of 100 different CorreLog servers, each handling a specific device type, network region, or other arbitrary division. (See response 5 above for details on how CorreLog operates as a distributed enterprise data collection and management system.) The theoretical maximum number of devices that can be managed in a two-tier system is 100 billion devices.

Can the device operate with DHCP leases, expiring at hourly intervals?
CorreLog can track devices by IP address, device name, or keyword. CorreLog includes an "address override" facility that tags devices based upon IP address, message content and keyword, or time-of-day. This permits CorreLog to track devices based upon some unique identifier (other than the DHCP assigned IP address, which may change periodically.)

Can the product support log files that are overwritten at periodic hourly or daily intervals?
CorreLog is a real-time system. In most cases, CorreLog immediately receives event information as it occurs, eliminating the need to keep log files on the native system.

Can software cover devices such as printers, scanners, storage devices, each with separate log files?
CorreLog correlates data by device type, device location, user name, time of day, and other arbitrary criteria. CorreLog aggregates messages, and then assigns messages to one or more "catalogs" of information that correspond to the requirements of the user. Therefore, CorreLog can create a catalog of information specific to a single printer, all printers, all printers of a specific type, etc.

How does the product comply with FIPS 140-2?
Information on CorreLog and FIPS compliance is available here... as well as under our "Support" link here...

Provide an overview of clients where the product has been installed
CorreLog is currently deployed at a variety of Federal, state, and local governments, as well as various commercial enterprises. Commercial enterprises include both domestic and foreign countries. CorreLog serves as a general-purpose security solution as well as a solution for regulatory compliance (such as PCI-DSS, HIPAA, SOX, and other security specifications.)

Explain total operating costs from pilot through fielding, including operations, maintenance, training, and support.
CorreLog is intended to be a highly cost-effective solution that maximizes return on investment. This is a major objective of both the product and the company. Achievement of high ROI for our customers and partners is explicitly incorporated in the company's mission statement, available at the corporate website here...

What version of McAfee's ePO is supported?
CorreLog supports McAfee ePO Versions 4.0 and 4.5. CorreLog is a certified McAfee Solutions Integration Alliance (SIA) partner.

Can CorreLog run in an environment where some EPO is not supported?
CorreLog receives events from one or more copies of ePO, and can send correlated results to one or more copies of ePO. Therefore, the program can operate in an "N X N" type fashion, accepting data from multiple copies of ePO and relaying correlated results to multiple copies of EPO.

How does the product store / backup data?
CorreLog stores archive data for a maximum of 5000 days within a user specified folder. (The precise time interval is configurable by the CorreLog administrator.)

Log message data is compressed using Gzip, and stored in daily time stamped log files. Each log file has a message digest in clear text, and a second message digest encrypted using a one-way encryption algorithm to prevent tampering with the message digest or file. The Gzip compression provides approximately 80% compression rates of typical log data.

Additional Notes

CorreLog also provides a variety of standards-based agents and adapters that interoperate with other log file management systems. These adapters include Windows and UNIX agents for log management, Mainframe z/OS and MVS agents for RACF and SMF monitoring, Interfaces to McAfee ePO, AND FIPS compatible encryption, File Integrity Monitor (FIM) software for Windows and UNIX platforms, as well as other highly specialized interface software for custom requirements.

View Other Solutions & Services...

This is CorreLog
Security Compliance
Free Trial Download
Request Product Demo
Purchase CorreLog

Privacy  |  Product Licensing  |  Contact Us  |  Toll-free USA: 1-877-CorreLog

CorreLog: High Performance Correlation, Search and Log Management

Copyright © 2010-2016, CorreLog, Inc. All rights reserved.
All trademarks and registered trademarks used herein are the properties of their respective owners.


Google, Twitter, Digg, SlashDot, Cisco, Microsoft