LogStack has been built upon the idea that customers pay for knowledge and experience.
The components of LogStack are based on open source or free licenses. The goal of LogStack is to help customers quickly implement a central log management system without commercial software licenses. LogStack provides significant added value from a cyber, IT, and data protection perspective (including: applications, development, or other daily IT management). LogStack helps with ISO or E-ITS standards compliance.
WITH THE LOGSTACK SERVICE, YOU GET WITHIN 1-3 MONTHS:
Installation, management, updates and development of a central log management and SIEM environment.
The analysis module allows the analyst, system administrator, and information security manager to visually process the collected information. Enables flexible search, filtering, grouping of information, easy creation of different visualizations of aggregation zones and combining them into dashboards. A large number of views and dashboards for the most commonly used log types are immediately available. It also includes the necessary SIEM functions, automatic analysis capabilities, threat feed integrations, creation of cases and time series. More than 600 rules, secured in more than 50 categories and using the MITER ATT&CK framework, are immediately available for automatic analysis.
are installed on the server where logs need to be collected (pre-installed on LogStack servers), usually Elastic's filebeat or winlogbeat, which create a highly-availabilie secure TLS connection with LogStack, typically with the Reception Module logstash and Storage Module elasticsearch. For collecting logs from cloud servers, pull-type transport can also be used, where central Reception Module logstash modules connect to the cloud server and pull fresh logs. Automation tools have been created for installing and configuring acquisition modules using ansible playbooks.
usually consists of three subsystems, each redundant, for consuming different types of logs: 1. For receiving syslog-based log streams over TCP/UDP, buffering, and preprocessing, the syslog-buffer module is used. This is often needed for network devices. 2. For receiving TLS-secured log streams from servers and local syslog buffer, Elastic's logstash is usually used. Here, information is normalized, transformed, and enriched as needed. 3. An independent local log flow provides a stable log channel for handling LogStack's internal logs.
consists of separate Elasticsearch functions: master, data, and coordination, each scaled according to best practices and demand, for example, 3 nodes per function. Data availability is ensured with +1 redundancy, meaning the same log event exists in at least 2 different Elasticsearch service nodes running on different (virtual) servers.
is integrated with the Storage module and provides minimal necessary access using role-based access control (RBAC), specific to each LogStack component and/or user who wishes to access it. In the default configuration, the accounts of LogStack internal modules (about 10 preconfigured roles) are kept in a local database, and for human users' access (3 preconfigured roles), it is integrated with an existing external AAA service provider over a standard secure protocol, such as LDAPs (Microsoft AD, OpenLDAP), OpenID (like Azure AD), Kerberos, SAML.
can be used in two roles: 1. for backing up data to a separate system and restoring it from there. 2. for archiving older data and bringing the system back. For backup and archiving, a connection to an external storage medium via S3 or NFS protocol is suitable. Backup and restore can be done with high granularity, such as filtering by index or date. The backup module works successfully even with a dense schedule (15 minutes) and a large number (1000+) of indexes and snapshots.
helps to perform the initial installation of LogStack as quickly as possible. It includes functions (ansible playbooks) for automatic installation and configuration of server infrastructure services (GFS, Docker Swarm), as well as the above-mentioned central service components and Acquisition modules.
allow for automated analysis of log events and generating user notifications to various channels such as email, Slack, etc.
provides x.509 certificates to all LogStack service-providing modules (e.g. Elasticsearch, Logstash, etc.). It can be used as an independent 2-level CA (rCA + iCA) or integrated into an existing PKI infrastructure as a signing sub-CA.
signs all log entries with SHA before storage and creates a hash-based block chain-like structure (SHA2). A background process also checks the integrity of this structure and alerts in case of loss of integrity.
enables linking two autonomously operating LogStacks (typically in separate data centers or clouds) so that both have all the information available at any given time (near-real-time).
contains components and scripts that simplify the LogStack's daily administration and troubleshooting.
If you are interested in the LogStack log management environment then send a request for a Demo.Send inquiry
for whom a centralized log management system with access to all infrastructure and application logs is critical for the fast detection and operational analysis of critical security incidents.
for whom providing access to logs that are specific to a particular role is important through a simple interface. For example, a Windows administrator is only interested in logs related to their Windows domain.
who can create reports and extracts based on logs to identify activities that do not comply with company policies, and to prevent data breaches.
As a telecommunications company, we need to have a good overview of what is happening in our systems. Although we have implemented a SIEM (security information and event management) system, which works well as a notification system, it is unfortunately not enough to help our departments quickly determine the root causes of problems, threats, and errors. To address this, we planned to implement a centralized log management system that would enable us to effectively reach the root cause of problems. During the implementation phase, we realized that we lacked the knowledge and experience to get the system working properly and manage it. We decided to opt for a service so that we could quickly and efficiently install a centralized log management system that would allow us to isolate problems before they become critical.
We are a medium-sized state institution, and our resources are very limited budget-wise. To avoid constantly struggling with resource scarcity in our production environment, we decided to implement a monitoring system that gives us an overview of resource usage in the production environment. In order to save time and additional costs, we decided to use a partner's help for implementation and ongoing system operation. Now we can see if an application is consuming excessive underlying infrastructure resources due to regular or irregular operation. With this evidence, we can turn to our partners, who in turn can improve developments according to our requirements.
As a transport company, we want to focus on our core business and use multiple partners for other areas, including log management. Although we know exactly where our log files are located, it is not best practice to allow all our partners' employees access to our production systems beyond system startup. The best solution is centralized log management, which allows users to view log files but does not require access to production systems. With this approach, we keep our systems operational and secure.
As an educational institution, we have a large number of users in our system, and managing them is very troublesome. That's why it's important for us to centralize the management of as many services as we can. Centralized log management allows us to investigate and audit incidents more efficiently because all event data is collected in one place. It is more difficult for malicious actors to remove evidence from logs already delivered to the log server. In addition, the integrity module checks the integrity of the log structure and issues an alarm in case of loss of integrity. We can analyze and correlate data for more than one system. Event data can be accessed even if the main server is offline, compromised, or decommissioned. We outsourced installation and management to a partner to avoid adding another service management to the to-do list.
Central log management provides our hospital's IT, information security, and business departments with views and reporting capabilities that we need to demonstrate our compliance with internal controls and SLAs. Regardless of whether a security incident occurs or not, we are increasingly under surveillance. Existing and new laws impose increasing audit requirements, and summarizing large amounts of information without a central system is almost impossible. In addition to the critical role of log file analysis in cybersecurity, it helps us control audit requirements, litigation, and personal data handling. To avoid replacing one task with another, we turned to an experienced partner whose service gives us the opportunity to focus on our own tasks.Security user case As an educational institution, we have a large number of users in our system and managing them is very cumbersome. Therefore, it is important for us to centralize as many service management systems as we can. Centralized log management allows us to investigate and audit cases more efficiently, as all event data is collected in one place. Malicious actors have a harder time removing evidence from logs that have already been sent to the log server. In addition, the integrity assurance module verifies the integrity of the log structure and alerts us in case of integrity loss. We can analyze and correlate data across multiple systems. Event data can be accessed even when the original server is offline, compromised, or decommissioned. We outsourced installation and management to a partner to avoid adding another service management task to our list of duties.
As an online store, it is important for us to see the behavior of web application visitors and know which customer trends to follow. This information allows us to easily notice when it is the best time to send a newsletter, release a new version of the web application or launch a product, close our site for maintenance or testing, and much more. In addition, we use log analysis to observe and influence marketing activities. By collecting data such as referring sites, accessible pages, and conversion rates, we can see how well our marketing campaigns are performing and take measures to improve them if necessary.
*The minimum configuration at one site consists of 3 servers that meet the following requirements: 2 CPU cores, 12GB RAM, 40GB OS disk, 400 GB SSD, 1 TB HDD, OS: CentOS 7, Alma 8.
* More detailed requirements for resources will be determined after the task is clarified and depend on the volume, complexity, retention periods, RBAC, etc. of the logs.