Logsign Data Policy Manager(DPM)

All Rights Reserved - Logsign 2015

Data Policy ManagerSecurity Information and Event Management

All Rights Reserved - Logsign 2015

LOGSIGN V4.0WORKSHOP

All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com

Overview

Easy to deploy via over 200 ready integrations and free plugin services, Logsign

collects terabytes of logs and events in real time from hundreds of physical,

virtual and cloud data sources.

Logsign’s Enterprise Wide Log Collection Techniques are; WMI, Syslog,

Oracle, SQL, CEF, File Share, NFS Share, FTP/SFTP, ODBC, LEA API and

more.

In relation to that logs are getting bigger and bigger everyday.

Logsign Data Policy Manager enables you to optimize the log management

respecting any company and multiple regulations.

http://www.logsign.com

http://support.logsign.com


Data Policy Manager

How?

Create data policies with Logsign DPM,

● for every single log source or a group of sources to collect logs.

● for setting redundancy period of logs.

● for managing storage capacity whether to include or exclude logs collected.

Therefore Logsign DPM increases the effectiveness of collection, storage and

the performance of indexing.




For Input

In For Input field, there can be applied policies to the data that is collected at the input level.

● With ‘Include by regexp’, desired data can be collected and written by adding specific rules or words, and with ‘Exclude by regexp’, the unwanted data can be specified with added rules.




● With ‘Include by Key-Value’, defined columns and values in parsed logs (e.g. Windows logs) are set to be written to system, also they can be set not to be viewed in system by using ‘Exclude by Key-Value’.

As you can see on the right side,

For Windows, successful and denied logon events are collected, but logoff events are set not to be collected.

For Input




● Your disk space is prevented to get filled with unnecessary files and logs by filtering the same log lines that are captured in a specific time period when you set a redundancy period.

For Input




For Parsing

● You can specify a column after the data parsed to make column-based filtering for repetitive data in For Parsing field.




For Indexing

In For Indexing field, in addition to the fields, ‘Include/Exclude by Regexp’ and ‘Include/Exclude by Key-Value’;

● ‘Filter Index Fields’ allows you to index the only specified written columns. (the results can’t also viewed in Search, Reports and Alerts)




For Indexing

In the Search menu, the results can viewed as below by default, Before and After applying the Index Filter.

BEFORE AFTER




For Indexing

Additionally for indexing, the desired data can be viewed by ‘Include Log’ option and the unwanted data is set not to be viewed by ‘Exclude Log’ option. When ‘Include/Exclude Log’ option is enabled, Event.SystemID column results can be typed in SystemID fields.




For JSON Store & For RAW Store

● In For JSON Store field, there can be specified rules and filters with the same features as in For Input and For Indexing fields.

● In For RAW Store field, the desired or unwanted data can be specified to be collected or not by regexp rules at the first input level.




For Persisting

● In For Persist field, the data can be collected in the system with specific names that defined for each sources.




Summary

Therefore, Logsign DPM can be considered as a SIEM use case.

Increased Effectiveness of

Collection, Storage and Performance of Indexing

Logsign DPMMultiple

RegulationsFlexible & Customized

Rule Setting



Thankshttp://support.logsign.net

Technology

Logsign Data Policy Manager(DPM)