What causes blank stares? Or operations despair? Barks like the neighbor’s dogs? It’s a monkey on your back looking for people that hack.
They’re logs, logs, logs!
TV show humor aside, log management is one of the most challenging things you can think of when collecting data from a modern enterprise network. Logfile capture is a delicate balance of figuring out how much information you need without overwhelming the system that you’re using to collect that data. I once managed to lock myself out of a router SSH session by simply enabling verbose console logging and then pointing it at the call processing interface. My attempts to collect all the necessary info ended up shutting down the phone system for half an hour while I rushed across town to the router to reboot and clear my errant logging commands.
That was just one device. Imagine trying to collect the logs of dozens or hundreds of critical devices. Now, imagine trying to store those files and analyze what’s contained in them. It’s a mind-boggling proposition. Even if you have the logging levels tuned to an appropriate severity level, you’re still going to be faced with hundreds of thousands of lines of information that you need to parse and process to make anything remotely useful come out of it.
Who has that kind of time any more?
Intelligent Log Analysis Needs a Machine
Luckily for us in IT, the advances in artificial intelligence (AI) and machine learning (ML) have given us the tools we need to make sense from the ocean of data that we’re creating in our collection efforts. Rather than using a human to scan through files and look for anything weird, we can instead instruct a system to do that for us at a much faster rate with a more precise way of determining anomalous readings.
I had a chance to sit down with the LogicMonitor a few weeks ago to discuss this topic in a bit more detail. They’ve been running into the same issues as outlined above, and they know that there is a huge need in the market for the capability to process and make sense of vast amounts of log data. Back in January 2020, they acquired the Swedish company Unomaly that specialized in just such a task. Last November, they launched the resulting effort of that integration with LM Logs.
LM Logs ingests log data from the monitored devices and servers in your enterprise and tries to surface meaningful data about what’s going on. It’s a tool designed to help manage log files and manage the information they’re hiding from all but the most well-trained eyes. That’s because LM Logs combines the custom algorithms that Unomaly had developed with the AIOps intelligence built into the LogicMonitor platform. The result is a tool that can look for things that appear out of the ordinary and bring them to your attention to help you focus on the critical pieces.
In The Land of the Log Blind
If you know what alert fatigue is, you’re likely nodding in agreement right now about the importance of a solution like LogicMonitor LM Logs. We all get overwhelmed by alerts on a regular basis. The endless cascade of emergencies and critical failures that end up being somewhat less important can create blind spots in an organization. The first time you see a failed VPN credential use, you’re going to expend a lot of energy tracking down the issue. The hundred and first time you see it, you’re likely to wave it off and move on with your day.
That’s how attackers can create issues in the system. As we’ve seen from recent attacks and penetrations of sensitive organizations, it’s all about avoiding detection. Rather than breaking in and creating a ruckus that gets the security staff’s attention, attackers will frequently lie low after the initial incursion until they’re certain they are undetected. Then they will move laterally until they can compromise a system of interest. This slow movement to avoid detection can bypass traditional internal controls.
The log files of a system never lie. The journal they create can tell you the useful kinds of data you need to see interlopers moving in real-time. However, that only happens if you can sift through the other noise. That’s why LM Logs is a crucial piece of the puzzle. The AIOps functionality in the system will find the interesting pieces and present them to you in such a way as to let you know that this particular nugget of information is worth looking at. Maybe it’s a VPN access failure at a time when no one should be trying. Or a login attempt on a server outside of regular working hours. There are a multitude of things that can cause these kinds of alerts. The attackers are hoping to have the time to wipe the logs or at least that they get buried in the rest of the junk filling up the system logs.
LM Logs collects the data and tells you what you need to focus on. That alone is worth the price of staying aware and safe. It also helps you manage the log files on the systems, as mentioned above. If you’ve ever had the pleasure of trying to clear a system event log from a server, you know it can be a noisy place. Because LM Logs is the destination for your files, you can keep your endpoints clear while still having the assurance that the data they’re collecting for you is safe and sound in a central location.
Bringing It All Together
LogicMonitor knows where the pain points are in the enterprise. LM Logs is an excellent example of this. Solving problems we have every day in our environments is the key to sticking around in the long term. Moreover, sifting through the deluge of information that most operations teams are faced with daily is a wonderful way to stay top of mind with them and prove how useful you are.
LM Logs’ functionality will only grow as LogicMonitor builds on the AIOps functions in the system and integrates them more fully into the main monitoring platform. Make sure you keep your eye on what they’re building as the months go on. If you’re a customer that uses LM Logs, you’ll have the spare time since you won’t need to keep a close eye on the log file stream. LM Logs has you covered there.
For more information about LogicMonitor and LM Logs, make sure you check out their website at LogicMonitor