Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
Document Ver6.0Document Ver. 7.5.2_5 En
※ALog ConVerter is the registered trademark of AMIYA Corporation.※Each company names and trade-marks are registered company names and names of products.※ Mentioned products' specifications and functions may be modified for improvement without any notifications.
© AMIYA Corporation 2
ALog EVA dramatically expands the range of the ALog series.
It is a new integrated data management tool that is easy and flexible, which sets it apart from the difficult integrated log products.
What is ALog EVA?
© AMIYA Corporation 3
ALog EVA plays an active role as a "data bank of records". In recent years, it has also been used as a data set (Preprocessing for organizing data) and analysis platform for AI and big data.
- Specify the person who deletes Vital data
- Copy History of confidential data
- Understanding external attacks- Unauthorized app user discovery
- Over time work Ranking - Detect Neglect of Duty
- Factory Censor - Water Quality Research - Temperature control
IoT
- Automobile Travel Data- Physical measurement- Medical Records Data
ALog EVA Field
Internal Fraud
Work Style Reform
Cyber Attack AI/Big data
Wireless LAN
- All record for Connection- Detect un registered device Access
© AMIYA Corporation �4
1 2
3 4
Simple Layout and Settings
Easy to Understand, Easy to Use
Options are Unnecessary
Our experience gathering log data from a diverse range of devices has allowed us to provide a multitude of standard mapping templates. ALog EVA features intuitive GUI and easy settings.
Search and report functions come standard.
The GUI is uniform across the series to ensure ease of administration across programs.
Save locations are shared.
Saves data simply and efficiently.
Our years of expertise have gone into converting stored data into useful logs. Cost
Performance
Log recording and data storage shouldn’t be so expensive!
We offer long-term use of our programs at prices that are as affordable as possible.
The ALog EVA Advantage
Search and report functions are standard
Clear visuals and ease of use
From storage only…Security Privilege has divided to new Log On Subject: Security ID AMIYADEMODC\Administrator Account Name: administrator Account Domain: AMIYADEMODC Log On ID: 0x8FE064 Security Privilege Take Ownership Privilege Load Driver Privilege Backup Privilege Restore Privilege ………… ...to useful data.
© AMIYA Corporation �5
Specialized templates for common log data are already provided with the software. Simply select the one you want to use.
Speedy Log Mapping
*Download additional templates from our support website
Select the template1
Select the log data destination2
Setting complete4
S Select the frequency3
Server access log© Amiya Corporation. �6
Manage log data using the ALog Series common interface. The unified GUI performs search and reporting functions, allowing log management from multiple sources.
Unified Formatting
Report Output
• Uniform management of multiple log types• Threshold-based alert notifications• Combined search and scheduled reporting
functions• Incident monitoring
Points
Analyze/ReportSearchConversionCollection
4. No Optional tool needed
© AMIYA Corporation �7
Automatic unification of time formatUnify various types of time formats into a single time format automatically. There is no need to convert each definition, it is easy to collect logs from multiple products.
Need to fix all the time formats even though they
are the same date…
Automatically convert into a single unified Time format
Automatically recognizable format
yyyy/MM/dd HH:mm:ss.FFFFFFF
yyyy/MM/dd H:mm:ss.FFFFFFF
yyyy-MM-dd HH:mm:ss.FFFFFFF
yyyy-MM-dd H:mm:ss.FFFFFFF
yyyy/MM/dd HH:mm:ss
yyyy/MM/dd H:mm:ss
yyyy-MM-dd HH:mm:ss
yyyy-MM-dd H:mm:ss
yyyyMMdd HHmmssFFFFFFF
yyyyMMdd HHmmss
MMM dd HH:mm:ss.FFFFFFF
MMM d HH:mm:ss.FFFFFFF
MMM dd HH:mm:ss
MMM d HH:mm:ss
Device A 2017/04/03 09:38:00
Device B 2017-04-03 09:39:09
Device C 2017 Apr 3 09:38:22
© AMIYA Corporation 8
Sometimes the information of the data itself is not enough, EVA enables integration from master information without using complicated syntax.
Understandable! Usable! [2/2]
AdditionAdd items from master for information not in log
Department User
Sales Department Ito Taro
Sales Department Yamada Takashi
Administration Department Tanaka Ichiro
User
Ito
Yamada
Tanaka
Corresponding List Master
Sales Department Ito Taro
Sales Department Yamada Takashi
Administration Department
Tanaka Ichiro
ReplaceUnknown values can be replaced from the master by itself
Level Message
Attack Port scan! From…
Information User admin…
Information User admin…
Corresponding List Master
01 Attack
02 Notice
03 Information
Level Message
01 Port scan! From…
03 User admin…
03 User admin…
FilterUnnecessary items are filtered by condition
Level Message
01 Port scan! From…
03 User admin…
With filtering conditions
Level Message
01 Port scan! From…
03 User admin…
03 User admin…
Cut!
Unnecessary data will be cleansedimproves the efficiency of log analysis
© AMIYA Corporation 9
As Cyber Attack Measures, visualize - Cyber Attack Sign - Data E Leakage Sign
Inject Existing network log into EVA.
Government
Exit Leakage Sign
Entrance Attack Sign
CASE
1
Report for access to the threat sites during night time / holidays
Suspect the possibility for attack based on the number
of abnormal access
[Case Study] Cyber Attack Measures
FW log / UTM log
UTM / proxy log
© AMIYA Corporation 10
A major logistics CT company where information leaks from employees were discovered.For recurrence prevention - File access to server - File export on PC was monitored.
Major Logistics center
Monitoring file export
Monitoring access to confidential information
CASE
2
Store copy to USB or cloud for 5 years
Keep access to sensitive folders for 5 years
[Case Study] Internal Fraud
PC log
File server log
© AMIYA Corporation 11
[Case Study] Detect trouble cause
To detect and trace customer’s system and network trouble shooting. - Unified log from Multiple devices - Aggregate administrator’s setting change record
Unified record and management for administrator’s operation by using EVA.
Internet Servicer
CASE
3
Application
Switch
Firewall
PC
Server
You can specify virus infected areaComprehend trouble cause
(setting error etc..)Various Data
APP LOG
SYSLOG
EVENT LOG
Realize central management by using
the unified format
If you have record
© AMIYA Corporation 12
[Case Study] Work Style Reform
In response to the Ministry of Internal Affairs and Communications, work style reform 〇〇 city that
embarked. - Restrict excess overtime - Understand lazy workFocused collection of data. Logs laid the foundation for business reform.
Municipality
Understanding lazy work
Control Excess overtime
CASE
4
Overtime staffRanking
Facebook /Instagram
Fashion / Car /Gourmet site
Identify heavy users
Web Proxy log
Authentication log
© AMIYA Corporation �13
Example Internal information leakage
A major distribution center Information leakage has been occurred by internal fraud at one of major distribution centers. In order to prevent the recurrence of the incident, MIS established the log management process focused on “Protection of Confidentiality”, “Privileged account management”, “data leakage onto the external devices”.
ALog EVA Selection Point
If the customer is already collection log from File server access log and DB access log, by enable the ALog EVA, it it very easy to expand the collection targets and simple for implementation.
Record the outgoing of web mail attachment via a proxy server.
Record the data file duplication onto the USB devices via PC log.
Record all access events to the confidential data on a file server.
Record all logon/logoff events of privileged users on a DB server.
Access to confidential data must be recorded !
ALog EVA
Especially access by privileged users must be traced !
ALog ConVerter
Every event regarding access to external devices must be Recorded !
Copyright AMIYA Corporation All Rights Reserved.
Web mail attachment
Data file duplication on USB devices
© AMIYA Corporation �14
ALog EVA Log ingestion List◆Network SystemCisco ASA series
Cisco Catalyst series
Juniper SSG series
Juniper MAG series
PaloAlto Networks PA series
Blue Coat ProxySG series
Fortigate series
Infoblox DHCP
YAMAHA RTX series
IBM Flex System EN switch
Hitachi Load Balancer EL130
Aruba Networks Mobility Controllers
TrendMicro Deep Discovery Inspector
Soliton Systems NetAttest EPS series
SonicWall series
◆NAS/Cloud Storage/ General-purpose machineHitachi Virtual File Platform (CIFS)
NetApp ONTAP (NFS audit)
HPE 3PAR StoreServ
Nutanix AFS (Nutanix Files)
QNAP
I-O DATA LAN DISK
Amazon Web Services CloudTrail
Box
FOBAS Cloud Storage Cache
IBM AS/400
◆ServersApache HTTP Server (Linux)
IBM HTTP Server (Linux)DHCP Server (Windows)DNS Server (debug log) (Windows)Microsoft Exchange Server (Windows)RADIUS Server (Windows)
WebDAV (Windows)Squid common (Linux proxy server)Sendmail (Linux mail server)Postfix (Linux mail server)
Samba (Linux)
◆DatabaseMySQL (Linux)
PostgreSQL (Linux)FUJITSU Symfoware Server (OPEN)FUJITSU Symfoware Server (NATIVE)Hitachi HiRDB IBM DB2
◆Security productSKYSEA Client View
LanScope CatSoliton Systems SmartOnDOS System Support best1 (SS1)Quarity soft QNDDigital Arts i-FILTER
Digital Arts m-FILTERTrendMicro Virus buster
TrendMicro InterScan Messaging SecurityALSI InterSafe ILP
ALSI InterSafe IRMSymantec Messaging GatewayHitachi solutions Hibun
ZenmuTech ZENMUCisco cloud Web security
IIJ Secure Web Gateway ServicePulse Secure seriesLogstorage
◆ApplicationSAP
NEC ExplannerPCA seriesOBIC seriesNISSEICOM GrowOneMicrosoft SharePoint (AvePoint)
Cybozu Office seriesCybozu Garoon seriesAccess AnalyzerHitachi JP1
FUJITSU SystemwalkerFuji xerox DocuShareFuji xerox ArcSuite
※as of September 2018 Random order
© AMIYA Corporation 15
ALog EVA now supports cloud service logs
ALog EVA enables log management in cloud environments and centralized log management in hybrid environments.
Topics
* Obtainable log is an example. The output contents differ depending on whether or not cloud service side can be handled.
© AMIYA Corporation �16
Collect Mail Archiving System log with ALog EVA, and sorting the number of send mail by users
Copyright AMIYA Corporation All Rights Reserved.
Report Sample –The number of Sending mail TOP10-
© AMIYA Corporation �17Copyright AMIYA Corporation All Rights Reserved.
Report Sample –Number of Job search site Review -
Collect Web proxy log with ALog EVA. Summarize the job search site category web site surfing
Find out someone has been accessing job search site many times!
© AMIYA Corporation �18
*Logs are transferred from target devices to the ALog manager server, and then received on by the manager server side. The syslog server (Kiwi Syslog Server, etc.) must be configured as a manager server.
System Flow
Conversion processing
Access log
Mapping definition
① Windows File Sharing (e.g. NAS Server)
Log transfer
Log search
Log storage②SCP Transfers via SSHD (e.g. Linux Server)
Logs gathered
③Syslog Transfers From Target Devices*
(e.g. Network Devices)
Manager ServerTarget Device
Logs gathered
• File compression allows long-term storage • Data encryption prevents tampering • DB storage duration can be set to any period • File output by device (Easy coordination with other systems)
Points
syslog server
Copyright AMIYA Corporation All Rights Reserved. !19
Hard ware Requirements - Manager Server
Windows Server 2008 (x64) / 2008R2 / 2012 / 2012R2 / 2016 / 2019
8GB, or higher (16GB, or higher is recommended)
500GBor higher disk space.
*32bit version OS is not supported *Service pack of each OS(SP)is supported*Each edition of (Standard / Enterprise / Datacenter)supported
*Virtualized environment (VMWare, Hyper-V, Citrix XenServer)supported.
CPU:
Memory:
HDD:
OS:
Dual Core, or higher (Quad Core or above is recommended)
.NET Framework 4.6 or later versionEither of following web browser
- Internet Explorer 10 or later version - Firefox version 40 or later version - Google Chrome version 44 or later version
Software:
ALog EVA
*There is a case that more disk space is required depending on the number of the target server and access log storing term.
Obtainable log type
ALog EVA is available to obtain log data which is output with Windows Event Log, syslog and text file (with separated value such as csv).
Log files can be obtained from uncompressed files, ZIP files (Deflata32), and compressed files in gz and bz2 file formats.
Text file needs to be encoded with UTF-8, UTF16 or the other encoding which is supported by .NET Framework.
The following type of log is not available to obtain with ALog EVA. - Fixed-length format - binary file - Encrypted file
In case that syslog server is needed
Syslog server is needed aside ALog EVA when it is not available to share log data with Windows file sharing(CIFS). *Verified Syslog server software : Kiwi Syslog server (not free version
If you use a Syslog server, you must meet the requirements for operating the Syslog server. Please confirm on maker homepage
© AMIYA Corporation �20