The CorreLog SIEM Server provides a standards-based method of collecting all the system log messages of your network using syslog protocol and SNMP traps. These messages are then correlated into understandable threats, alerts, and actions using sophisticated (but easily configured) rules, and reduced to actionable “tickets” that are sent to users, and which can trigger automatic remediation of incidents.
The SIEM Server provides special application in security monitoring for your enterprise, and furnishes a variety of special functions and features to support this critical role, including data encryption, ready-to-run correlation rules and TCP tunneling software. Other roles of CorreLog, including performance management, analysis of business information, and log file analysis are also supported within the product.
The CorreLog SIEM Server is specifically designed to leverage the capabilities of your existing infrastructure without requiring extensive installation of agents or other software. The program is designed for high capacity, enterprise scale message aggregation, ease of navigation, small footprint, extensibility, and high internal security, available in a single web-based console.
- High Speed Message Reception. CorreLog SIEM is suitable to operate as the single SNMP Trap and Syslog receiver for all devices on the network of large enterprises. CorreLog SIEM can process more than 2000 messages per second and can handle burst traffic of more than 10,000 messages in one second (depending upon the supporting hardware.) CorreLog SIEM tracks and catalogs devices on the network without hard upper limit. You can receive messages from virtually unlimited numbers of sources.
- High Speed Message Correlation. CorreLog SIEM uses an advanced correlation engine, which performs semantic analysis of your messages in real-time. The system employs correlation threads, correlation counters, correlation alerts, and correlation triggers, which refine and reduce your incoming messages into something you can easily understand. We have pioneered various correlation techniques, and are redefining the state-of-art in “semantic correlation”.
- Flexible Reporting. CorreLog SIEM incorporates various reporting facilities, including an Excel-based reporting facility that populates spreadsheets with summary and detailed event information, and an ODBC reporting facility that populates one or more databases with report information to support third-party report writers. Additionally, CorreLog SIEM includes a comprehensive dashboard facility, a “Pivot” log analyzer (for analyzing firewall data, HTTP server logs, and other “regular” data) and comprehensive graphing utilities useful for reporting on correlation results. The CorreLog Server comes preconfigured with compliancy reports and correlation rules to support these reports. Additional report templates can be loaded (or saved) using a built-in “Template” facility.
- Data Aggregation and Archiving Functions. The CorreLog SIEM system can aggregate vast amounts of data. It can collect in excess of 1 Gigabyte of data each day at a single site, and save this data online for up to 500 days (given enough storage.) Additionally, CorreLog SIEM compresses and archives your data, retaining this data for a period of more than 10 years (5000 days). To assist in forensics and long-term analysis, CorreLog SIEM generates archival data such as MD5 checksums and Security Codes.
- Data Searching Ability. One of the most important functions of the CorreLog SIEM system program is its search capability. CorreLog SIEM uses its proprietary GenDex (Generate Data Extraction) program, which employs a high speed, real time index system. This allows quick searches through massive amounts of message data. The performance of this engine rivals the fastest search engines currently available. Users can search a terabyte of data for a particular keyword in less than one second.
- Taxonomy, Ontology, and Catalog Functions. Taxonomy and categorization of data is at the center of our unique correlation system. The CorreLog SIEM Server automatically catalogs information by IP address, username, facility, and severity. Users can further create catalogs of information based upon simple or complex match patterns. Data is cataloged based upon specifications consisting of simple keywords, wildcards and regular expressions, logical expressions of wildcards, macro definitions of regular expressions, and logical combinations of macros. This provides a complete flexibility in managing and grouping message data, while still maintaining high data throughputs, and avoiding the rigors of data normalization.
- Ability To Define New Syslog Facilities. One of the commonly noticed limitations of Syslog protocol has always been that the “Facility” codes (which define the data sources for syslog messages) are limited to 24 predefined codes. The CorreLog program removes this restriction, permitting users to define their own facilities, such as “applications”, and “devmsgs”, so that data can be better categorized and managed. This important extension to the syslog protocol opens important new vistas in the practical use of Syslog messages and their correlation, not otherwise available using the standard specification.
- Ability To Override Message Content. One of the commonly noticed limitations of SNMP Trap and Syslog protocol has always been that, since messages are unsolicited, the message collector is stuck with whatever message, severity, or facility was originally specified by the message sender. In some cases the severities or facilities within a message may be nonsensical. The CorreLog program recognizes this existing limitation and implements a sophisticated “override” scheme, which allows users to override the facility, severity, or device name in any message. This greatly assists with the control and correlation of data.
- Input Filtering. To reduce data loading, and permit precise control over incoming messages, CorreLog SIEM can filter input data by device, facility, severity, message keyword, time of day, or any combination of these. Filtered data can be discarded, or put into a separate repository (and possibly permanently archived) for further analysis or forensics. When data is filtered, it is automatically tagged with the particular filter expression, assisting in the analysis of filtered data. CorreLog treats filtered data with respect, permitting you to re-import discarded data and undo any particular filtering function.
- Automatic Remediation And Response. The CorreLog SIEM system incorporates a simple and extensible “Actions” capability, which permits you to target specific messages based upon device, keyword, facility, severity and/ or time of day, and run programs on that data. CorreLog SIEM includes utility programs to update relational ODBC databases, relay syslog messages, send SNMP traps, send e-mail, and perform other actions. The facility is designed for easy extensibility by administrators and developers to extend correlation and ticketing services of the program.
- Web Based Configuration. CorreLog SIEM is entirely web-based. All activities, including the establishment of logins and permissions, are completely achieved without a native console. This means that an administrator does not ordinarily need access to the CorreLog Server platform, except in rare instances to startup or shutdown the process. The location of the CorreLog Server can be strategically placed in a Network Operations Center (NOC) or secure cabinet, which has important implications for security.
- Suite of Utilities. The CorreLog Server system incorporates a suite of Win32 utilities, in one small package that is easily installed on Windows Vista, XP, or Windows 2000 servers. These utilities are redistributable, and greatly extend the ability to manage these platforms using Syslog protocol.
CorreLog SIEM operates on a variety of Microsoft platforms, including Windows Vista, XP, 20XX, or Windows 7 and 8.x systems. The program does not require Java, or .NET, or a relational database (although will take advantage of these components, if they are already installed on the host or client platform.)
The SIEM Server download package incorporates the Apache HTTP server, easy Windows based installation dialog, a ready-to-run configuration, and 500+ pages of indexed documentation in print-ready Adobe PDF format.
The system also includes a copy of the CorreLog Windows Agent and manual, so that users can easily add Syslog capability to an existing Windows platform, thereby making the CorreLog Server full-enterprise capable.
Importantly, CorreLog SIEM is designed for extremely easy installation. A typical installation requires less than one minute, and does not require the host platform to be rebooted.
XP, 20XX, or Windows & 8.X systems