Log Management Solution – LogStack

Log Management Solution – LogStack

Log management has been very resource demanding since the beginning of time, and given its complexity, many log management projects are not successful – the project is ongoing, terminated, or implemented in a partial manner.

Log management is especially important in today's changing world, where the cybersecurity and data protection landscape are changing non-stop, as it is the only source that can be used to analyze and identify sources of threats, attacks or leaks.

ByteLife has been innovative throughout its existence and has brought solutions to the market that make sense for everyone but have not been implemented – log management is no different in this respect.

We have developed our log management solution product, LOGSTACK, on the principle that the customer pays for knowledge and experience, and licencing costs are eliminated. We are guided by our value, namely the EXPERIENCE, with which we have packaged the solution and thus in 1-3 months we are able:

  1. Deliver the first results from scratch
  2. Configure basic features such as notifications, reports, and views
  3. Integrate standard and custom log sources

The role of ByteLife is to help customers quickly deploy LOGSTACK without "golden handcuffs" in a sense of licencing or integration and support services. We also deliver extensive knowledge transfer sessions, so you can continue to manage solution on your own.

Unfortunately, in modern world, the "No logs, no flops" principle does not apply, and it is too late to deal with it when a major incident happens. In terms of investment, we have made the solution very affordable as illustrated by the following pricing model:

  1. Software licenses and future license maintenance fee: 0.- eur
  2. One-time installation fee (LogStack Standard): 4 125.- eur
  3. Support service monthly fee (LogStack Standard): 1 375.- eur per month

No mystique of the log management cost – simply, it has been refuted by ByteLife standardized LOGSTACK solution! We believe that LOGSTACK provides significant added value, not only in terms of cyber or IT (incl. applications, development, etc. day-to-day management) but also in terms of data protection.

Logstack Service

Logstack Service

The purpose of the service is to install and configure a central log collection and processing environment corresponding to ISKE – LogStack. LogStack allows you to collect logs across the entire IT infrastructure:

  • push (or exceptionally pull) from server files via a secure transport channel,
  • on network devices or from other sources over the syslog protocol.

Capabilities and benefits

  • Collected logs are normalized and indexed, which allows them to be processed quickly: searches, correlation and visualization.
  • Views and dashboards are ready in advance in the user interface for immediate analysis of different log types.
  • Automatic analysis of log events and notifications for anomalies, and critical security events are set up.
  • The primary user interface is a web-based interface that allows for flexible data access control (RBAC).
  • When creating and installing the LogStack architecture, the goal is to meet the ISKE M-level infrastructure including all its requirements.
  • All internal and external connections to the LogStack are secured (authenticated and encrypted) with an internal PKI.
  • Tools and procedures are in place to quickly interface logical sources.
  • The service is created using clustered Elasticsearch and related components.

Logstack Arhitecture

The main components of the LogStack architecture are analogous to the Elastic stack and are shown in the figure below.

Logstack Arhitecture

The following is the functionality provided by the LogStack service components, and their use is optional according to the need:

Transmission modules

are installed on the log-generating server (pre-installed LogStack servers), generally Elastic's filebeat or winlogbeat, which establish a high-performance TLS connection to LogStack, usually the Receiver logstash module, and the Storage module Elasticsearch. Pull-type transmission can also be used to collect logs from cloud servers, where the central logstash modules of the Receiving module connect to the cloud server and synchronize the log. Automation tools were created to install and configure the transmission modules, and ansible playbooks are used.

Receiving module

generally consists of three subsystems, each of which is duplicated, to receive different types of logs: 1. To receive a syslog-based log stream over TCP / UDP, for buffering and pre-processing, uses the syslogng module. This is often required by network equipment. 2. To receive a TLS-secured log stream from servers and the local syslogng module buffer, this is usually Elastic's logstash. Here the information is parsed, normalized and enriched according to the need. 3. The independent local log stream reception module – logstash – provides a stable log channel LogStash for handling its own logs.

Storage module

consists of separate Elasticsearch functions: master, data and coordination, each scaled according to best practice and requirements, such as 3 nodes per function. Ensuring data operability is realized with +1 excess, i.e. the same log event exists in at least 2 different Elasticsearch service containers running on different (virtual) servers.

AAA module

is tightly integrated with the Storage Module and provides the minimum required role-based access (RBAC) to each component and / or user wishing to interface with it. In standard configuration, the accounts of the internal logStack modules (approx. 10 preset roles) are stored in a local database and integrated with an existing external AAA service provider over a standard secure protocol to control access for human users (3 preset roles), e.g. LDAPs, kerberos, SAML, OpenID.

Backup module

can be used in two roles: to back up data to and from a separate system, to archive older data and restore the system. For backup and archiving, the connection to an external storage medium via S3 or NFS protocol is suitable. Backup and recovery are possible with high granularity, for example, through filtering by index or date. The backup module works well with a large number (1000+) of indexes and snapshots.

Installation module

helps you perform the initial installation of LogStack as quickly as possible. It includes functions (ansible playbooke) for automatic installation and configuration of server infra services (gfs, docker swarm) as well as the above-mentioned central service components and Transmission Modules.

Alert modules

allow the users to perform automatic analysis of log events and, if certain conditions are met, to generate user notifications to various channels, e.g. e-mail, slack, ...

PKI module

provides all modules with the LogStack service (e.g. elasticsearch, logstash, ..) with x.509 certificates. It can be used as a standalone 2-tier CA (rCA + iCA) or interfaced to an existing PKI infrastructure as a signing Sub-CA.

Integrity module

(integrity) signs all log entries with SHA256 prior to saving and forms a hash-like block chain structure. The background process also checks the integrity of this structure and interferes with the loss of integrity.

Synchronization module

allows you to link two autonomously running LogStacks (typically in separate data centers or clouds) so that both have all the information at near-real-time. Kafka components are used.

Operating module

LogStack includes components and scripts that simplify day-to-day administration and troubleshooting.

Logstack Packages

There are 2 different packages for implementing of LogStack

Feature / Package Standard Premium
Preliminary analysis of the use case and workflow and index design Y Y
Logstack setup as a 3-node cluster solution Y Y
Integration with existing AAA platform and RBAC setup Y Y
Number of primary standard integrations without logon source 5 10
Creation of the workflow-centered dashboard until 3 6
Creation of primary automated analysis rules and alerts 3 6
Brief training for LogStack administrator and regular user (analyst, sysadmin) Y Y
Possibility to install two autonomous logon environments on separate sites that are in sync with each other - Y
Possibility to use the integrity module - Y
Possibility to use 2 different Alerting modules - Y

Logstack operating support is similar to deployment

Feature / Package Standard Premium
LogStack platform support and access to software updates Y Y
Weekly review of the logon management environment Y Y
Consultations that can be used, for example, to interface with new log sources, create views or dashboards, set up aliasing, lessons 6 10
Service Period Price € without VAT
LogStack Standard one-time setup fee One-time 4125,00 €
LogStack Standard monthly management fee Monthly 1375,00 €
LogStack Premium one-time setup fee per cluster One-time 6875,00 €
LogStack Premium monthly management fee per data center Monthly 2335,00 €

ByteLife LogStack solution can be ordered with the same service conditions, prices and functionality of the 'RIIGIPILV' (NATIONAL CLOUD) – Log management (ByteLife).

Description Of Packages

Description Of Packages

Description of LogStack Standard

1. Installation

  • Preliminary analysis of the use case and workflow and index design
  • Logstack setup as a 3-node cluster solution
  • Integration with existing AAA platform and RBAC setup
  • Up to 5 first standard log source integration
  • Up to 3 workflow-centered dashboards
  • Creation of up to 3 first alerts
  • Brief training for LogStack administrator and regular user (analyst, system administrator)

2. Support

  • LogStack platform support and access to software updates
  • Weekly environmental review
  • Consultations (6h per month) that can be used, for example, to interface new logon sources, create views or dashboards, set up alerts

3. For non-standard sources

  • Creating parsers according to ECS, creating related views and dashboards.

Description of LogStack Premium

1. Installation

  • Everything that the Standard package contains
  • Possibility to install the solution on 2 separate synchronized sites
  • Possibility to use the integrity module
  • Possibility to use 2 different alert modules
  • In addition, the first 5 standard logon sources
  • In addition, 3 more workflow-centered dashboards
  • In addition, creation of the first 3 additional alerts

2. Support

  • LogStack platform support and access to software updates
  • Weekly environmental review
  • Consultations (10h per month) that can be used, for example, to interface new logon sources, create views or dashboards, set up alerts

3. For non-standard sources

  • Creating parsers according to ECS, creating related views and dashboards.
THE USE CASES

THE USE CASES

1. Security Department,

for whom central logon management, with access to all infrastructure and application logs, is critical for the rapid detection and operational analysis of security incidents.

2. IT development and administration departments,

for whom it is important to provide easy access to logs that are important for a specific role, for example, a Windows administrator is only interested in logs related with their Windows domain.

3. Compliance officer, including data protection, etc.,

who can create reports and statements on the basis of logs of activities that do not comply with the company's established policy and that allow you to prevent data leaks.

Additional Information

Backup

The service is able to back up logs data to storage services, the backup of configuration data is solved internally.

Minimum infrastructure requirements

The start-up configuration on one site consists of 3 virtual machines that meet the following conditions: VM: g1.medium4 (2 vCPU, 12GB RAM, 40GB OS disk), 400 GB SSD, 1 TB HDD, OS: Centos 7, Docker

Examples Of Using The Service

X-Ministry incorporates 8 different administrative units, 2 of them are larger and have their own comprehensive IT support system, and the remaining 6 have some individual services shared both on-prem and in the cloud, while they lack resources in both the detection area (only 2 security people), as well as on the part of the IT administration, some system administrators serve several administrative units. With the introduction of Logstack, logs could be collected from all systems and the security level of the ministry could be significantly improved – the same two security men would now have an overview of the security events of all 6 subdivisions. SLAs would also be improved, as problems of alerts are generated in the similar way everywhere and root cause analysis is faster due to simple correlation capabilities. All this due to LogStack's flexible rights management capabilities.