Analytics und Big Data
As an open source logging platform, the Elastic Stack offers the possibility to collect, analyze, analyze and co-ordinate log data.
Use Elasticsearch as a syslog server for the central data storage of all log data. The log data is not only stored centrally, it can also be efficiently searched and evaluated.
Log Data -> System, Micorosoft Eventlog, Logs of Applications, Database Logs, Webserver Logs etc.
Use Case (save costs) -> Use Elastic as the central log - data position and forward only pre - filtered log data from Elastic to Splunk or use Elastic as replacement of Splunk.
The key to SIEM (Security Information and Event Management) is the collection and analysis of all data as well as the quasi-real-time evaluation and presentation of the available information.
The need can come from everywhere. That's why it's important to have a complete picture of what's happening in real time across all of your systems. It must not be that for cost reasons, systems can not be included in the overall picture.
There are several beats available from Elastic to capture this information.
Authentifizerung -> Filebeat: Auth-Logs
Audit-Events -> Auditbeat: Audit-Logs
DNS-Traffic -> Packetbeat: DNS-Protokoll
Netflow -> Logstash: NetFlow-Module
Anomalies can be detected very practically with the help of modern technology, the so-called machine learning.
Machine Learning analyzes and compares the data of the past with the data of the past on a predefined timeline.
In the same way future forecasts can be expected.
- Elastic ( ML )