LOGalyze contains Log Definitions for several infrastructure and application level logs and audit trails. LOGalyze uses these Log Definitions to identify, parse, normalize and index the incoming messages.
LOGalyze converts the parsed fields into a normalized format for analysis and reporting purposes. If systemsin your organizations are spread across time zones LOGalyze automatically converts the timestamps into GMT. Time synchronization helps you to correlate logs from different locations.
Prioritization, classification and tagging
Log Definitions help you to order messages in different classes or tag them with different keywords for later usage.
The LOGalyze Correlation module is collecting messages from different systems and finding all the messages belong to one single event (E.g. messages generated by malicious activity on different systems: network devices, firewalls, servers etc.). LOGalyze supports the following types of correlation:
- Manual correlation: every single search in LOGalyze can be a correlation using time and any other normalized log field used in the search criteria.
- Real-time event correlation: in LOGalyze you can use or create Event Definitions to generate new "correlated events". LOGalyze processes the stream of events real-time in order to detect certain event groups that occur within predefined time windows. Event Definitions can describe a single event that react immediately to input data or system changes, can store contexts, can start event correlation operations.
The correlation module can produce output by sending email, snmp traps, calling external programs.
LOGalyze can detect the anomalies in a working system. Tthis means recognizing and ignoring the regular, common log messages that result from the normal operation of the system, and therefore are not too interesting. However, new messages that have not appeared in the logs before can sign important events, and should be therefore investigated.
LOGalyze can process its internal synthetic events, audit logs such as any external log data. You can define reports on internal events, create Event Definition to alert or simply search on them.