Secospace eLog

Secospace eLog
Secospace eLog
Product Overview
With the development of networks, security events continually
occur on hosts, databases, and Web servers. These range
from Trojans, worms, and SQL injections, to Web page or data
tampering by staff. How can we detect these events? How can
we investigate them and collect evidence?
The information age has arrived. As the information technology
strengthens, application systems (service systems, operating
systems, databases, and Web servers), security devices (firewalls,
UTM, IPS, IDS, VPN, DPI, and AV), and network devices (routers,
switches, and access devices) expand. A comprehensive and
unified log management system is essential to manage the
logs of all devices ranging across the network, system, and
application layers.
Product Features
Unified log management for various devices
•• Huawei & Huawei Symantec security devices (firewalls,
UTM, IPS, IDS, VPN, and DPI), BRAS devices, routers, and
switches
•• Security devices, routers, and switches of major vendors,
for example, Cisco, Juniper, and Checkpoint
•• Operating systems (Windows, Linux, and Unix), databases
(SQL Server, Oracle, DB2, Sybase, and Informix), and Web
servers (IIS and Apache)
Intelligent auditing technologies, which
ensures the security for application systems
Users can monitor security events by delivering auditing
policies based on auditing templates for abnormal behaviors
and risky operations. The system delivers association audit
policies to a group of devices for associating all operations
during user logins and logouts into a session. These are
monitored and replayed to implement effective behavior
audits.
Based on current ICT trends, customer surveys, and problem
collection and analysis, Huawei Symantec Technologies Co.,
Ltd. (hereinafter referred to as Huawei Symantec) has launched
its high performance security auditing system.
The Secospace eLog is an intelligent log management and
security auditing system providing excellent performance,
reliability, security, and scalability. Its functions include: log
collection, analysis, association, auditing, alarms, storage,
queries, and reports. It is applicable to the security devices,
network devices, operating systems, databases, and Web
servers of Huawei, Huawei Symantec and other major vendors,
including Cisco, Juniper, and Checkpoint.
Effective user behavior monitoring, which
helps identify intranet user behaviors and
intrusions and attacks by extranet users
Through off-line deployment for monitoring devices, the
Secospace eLog restores and audits for HTTP, FTP, Telnet,
and database operations in real time. By interworking with
Huawei Symantec UTM devices, the Secospace eLog monitors
applications such as AV software, blocking services, URL audits,
email audits, instant messages, stocks, games, and P2P. It
effectively tracks the behaviors of network users, and monitors
the behaviors of intranet users.
Precise NAT log management, which meets
the requirements of judicial or other auditing
departments
The Secospace eLog provides NAT log management for
firewalls, BRAS devices, and routers to help users with precise
NAT tracking. This complies with laws and regulations and
provides evidence for investigations by judicial or other
Secospace eLog
auditing departments.
Customer-oriented and robust customization
development, which supports high scalability
and protects customer investment
Based on customers' service characteristics and requirements,
the Secospace eLog provides is rapidly customizable to meet
the functions required by customers or to support new device
and log types. It analyzes the logs of new devices through
online upgrades and provides a Web service interface (of NAT
logs) for calling third-party programs.
Precise log analysis showing device running
status
The Secospace eLog provides the following log types: attack
prevention, traffic monitoring, blacklisting, address binding,
operation commands, firewall logins, packet filtering, and
content filtering. It provides the following alarm types: firewall
timeout, attack prevention, interface status and abnormal traffic,
log levels, and keywords. These features reveal network threats.
Robust statistical analysis and multi-
dimensional reports, which complies with
laws and regulations
Through precise log analysis and statistics, the Secospace
eLog provides abundant reports from multiple dimensions
such as the time, log type, flow, security feature, user, and legal
compliance. This helps users obtain network flow information
and attacks, understand network status, and manage logs for
security and network devices. The solution outputs a series of
legally compliant audit reports.
Real-time and diversified alarm responses
and excellent alarm management, which
allow administrators to identify threats
properly
The Secospace eLog provides email, short message, audio,
visual, and sound alarms. It timely detects the events that
comply with alarm policies, promptly generates alarms, and
generates alarm events. The administrator can monitor and
query alarms online and precisely identify threats.
Diversified log collection modes, which do
not affect service systems
The Secospace eLog collects logs in Syslog, SNMP Trap, OPSec,
FTP/SFTP, WMI, and JDBC modes. It uses proactive acquisition
to collect logs for operating systems, databases, and servers
without needing an agent program.
User-friendly log query methods, which save
time and improves work efficiency
The Secospace eLog provides online query and task query.
Online query can instantly switch to task query.
Complete security measures, which
safeguard the system
The Secospace eLog secures and verifies log data to ensure log
accuracy and integrity. Through role-based access control, it
adopts the principle of power separation and HTTPS to ensure
permission, access, and data transmission security.
Meeting carrier-class reliability requirements
Log collectors that adopt passive collection modes are
configured in N to 1 backup mode. Switchover is supported
in case a log collector fails, which prevents log losses. The
Secospace eLog provides a buffer mechanism to avoid data
loss due to a short-term network failure. It records failures or
abnormal status changes automatically. The system restarts
automatically after a failure to ensure that normal operations
are maintained. The solution also provides log backup and
recovery.
High log processing performance, which
meets high-speed data flow requirements
Up to 250000 EPS flow logs can be processed on average,
peaking at 300000 EPS. Up to 8000 EPS text logs can be
processed on average with a peak of 9500 EPS. Processing
performance can be improved by adding a log collector.
Secospace eLog

Massive log storage capability, which meets
log storage requirements
The Secospace eLog can connect to external disk arrays or
cascading disk arrays to support massive log storage through
mature storage solutions.
Flexible deployment, which does not affect
the existing network
The Secospace eLog provides centralized and distributed
deployment and supports flexible deployment based on
network architecture and customer requirements.

Product Specifications
The Secospace eLog consists of log servers, log collectors, consoles, and probes.

Firewall
UTM

IDS
IPS
VPN
Log Server
Router/BRAS
Log Collector
Switch

Operating console
Systems Web server

Databases

Log Collector
FTP/Telnet/HTTP
probe

Component Description

Audits event management, alarm management, report management, user management, and system
Log server management. Supported operating systems include Windows Server 2003 R2 Standard Edition SP2 and Windows
XP Professional SP2.

Performs log collection, classification, filtering, merging, alarms, and flow statistics. Supported operating systems
Log collector
include Windows Server 2003 R2 Standard Edition SP2 and Windows XP Professional SP2.

Through network flow mirroring, the probe restores HTTP, FTP, and Telnet operations, and restores, monitors, and
Probe
audits Oracle, Sybase, MS SQL Server, DB2, and Informix databases operations based on HTTP, FTP, and Telnet.

The console accesses the Secospace eLog through Microsoft Internet Explorer (6.x or above). The supported
Console
operating system is Windows XP Professional SP2.
Secospace eLog

Typical Deployment
The Secospace eLog is designed with distributed architecture and supports centralized and distributed deployment. Through
flexible deployment, the Secospace eLog meets customers' deployment requirements in different network environments.

Centralized Deployment Distributed Deployment

Probe

Data Center
Log Collector
Data Center

Log Collector
Console
Log Server probe
Console
Probe Log Server

Log Collector

Centralized deployment Distributed deployment

Centralized deployment applies when managed devices
are centralized and the network environment is simple. The
centralized deployment of log servers, log collectors, and
probes meets the log management and audit requirements of
security devices, network devices, hosts, and databases.
Distributed deployment applies when managed devices are
dispersed and the network environment is complex. Log
collectors and probes are deployed in the dispersed device
subnets that require log collection. The log collectors collect
the processed logs to the log server for unified analysis and
management.
Secospace eLog

Secospace eLog

The information contained in this document is for reference purpose only, do not constitute the warranty of any kind, experss or implied. It is
subject to change or withdrawal according to specific customer requirements and conditions.
All the trademarks, pictures, and brands mentioned in this document are the property of Huawei Symantec Technologies Co., Ltd or their
respective holders.

Copyright ©2010 Huawei Symantec Technologies Co., Ltd. All rights reserved.

Version No.: M3-110019999-20100120-V-1.0