Copyright Goodheart-Willcox Co., Inc. 93 Log Files ■ ■ A log file is a record of events that occur during a server or computer operation. A log is accumulated data about a system and its services, time and dates of user actions, and other activities that affect the security of an organization. ■ ■ Event logs are instrumental in troubleshooting and investigating possible security incidents. They are also a key aspect of forensic investigations and used for documentation or evidence. ■ ■ Types of log files include system logs, network logs, application logs, security logs, web logs, PowerShell logs, DNS logs, authentication logs, dump files, VoIP logs, and SIP logs. Syslog■ ■ System logging protocol (syslog) is the standard event logging protocol used to send system and event log information to a specific server, called the syslog server. It enables the aggregation of multiple logs into one central log for monitoring and review. ■ ■ Syslog solutions offer differing review reports options and functionality. Syslog systems provide event correlation that tracks attack patterns that occur across the network. It also serves as a source of data to support an investigation. ■ ■ Two variations of syslog include rsyslog and syslog-ng. Another variation is Nxlog, which is a multiplatform log management tool that includes support for Android and Windows platforms. Security Information and Event Management (SIEM) ■ ■ A security information and event management (SIEM) system is a software product that supports organizational security by real-time collecting and compiling log data generated in a network and producing analyzed results and reports. ■ ■ An SIEM system is a combination of two separate security components: Security Information Management (SIM) and Security Event Management (SEM). ■ ■ An SIEM system provides several features including log aggregation, log collection, data input, packet capture, SIEM correlation, automated alerts, event duplication, time synchronization, user behavior analysis, sentiment analysis, and SIEM logs. ■ ■ For easy analyzation of the information, an SIEM system uses the SIEM dashboard, which is a tool that summarizes data and transforms it into useful information to provide simple security monitoring. SOAR■ ■ SOAR, or Security Orchestration, Automation, and Response, is a security solution that uses an array of software tools and solutions that allows for a collection of data from multiple sources and generates an automatic response. ■ ■ Using SOAR solutions, security operations are executed automatically through collection of data from the broadest of resources without human intervention. It takes information from multiple sources and centralizes the results. ■ ■ SOAR enables an organization to simplify security operations in three key areas: threat and vulnerability management, incident response, and security operations automation.