Logsign's Data Policy Manager allows users to optimize log management and collection by creating data policies for individual log sources or groups. These policies can include or exclude specific logs, set redundancy periods to filter duplicate log lines, and filter log fields for indexing, storage, and searches. This increases the effectiveness of log collection, storage, and indexing performance while respecting various company and regulatory requirements.
1. All Rights Reserved - Logsign 2015
Data Policy Manager
Security Information and Event Management
All Rights Reserved - Logsign 2015
LOGSIGN V4.0
WORKSHOP
2. All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com
Overview
Easy to deploy via over 200 ready integrations and free plugin services, Logsign
collects terabytes of logs and events in real time from hundreds of physical,
virtual and cloud data sources.
Logsign’s Enterprise Wide Log Collection Techniques are; WMI, Syslog,
Oracle, SQL, CEF, File Share, NFS Share, FTP/SFTP, ODBC, LEA API and
more.
In relation to that logs are getting bigger and bigger everyday.
Logsign Data Policy Manager enables you to optimize the log management
respecting any company and multiple regulations.
3. All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com
Data Policy Manager
How?
Create data policies with Logsign DPM,
● for every single log source or a group of sources to collect logs.
● for setting redundancy period of logs.
● for managing storage capacity whether to include or exclude logs collected.
Therefore Logsign DPM increases the effectiveness of collection, storage and
the performance of indexing.
4. All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com
For Input
In For Input field, there can be applied policies to the data that is collected at the
input level.
● With ‘Include by regexp’, desired data can be collected and written by adding
specific rules or words, and with ‘Exclude by regexp’, the unwanted data can
be specified with added rules.
5. All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com
● With ‘Include by Key-Value’, defined columns and values in parsed logs (e.g.
Windows logs) are set to be written to system, also they can be set not to be
viewed in system by using ‘Exclude by Key-Value’.
As you can see on the right
side,
For Windows, successful and
denied logon events are
collected, but logoff events are
set not to be collected.
For Input
6. All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com
● Your disk space is prevented to get filled with unnecessary files and logs by
filtering the same log lines that are captured in a specific time period when
you set a redundancy period.
For Input
7. All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com
For Parsing
● You can specify a column after the data parsed to make column-based
filtering for repetitive data in For Parsing field.
8. All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com
For Indexing
In For Indexing field, in addition to the fields, ‘Include/Exclude by Regexp’ and
‘Include/Exclude by Key-Value’;
● ‘Filter Index Fields’ allows you to index the only specified written columns.
(the results can’t also viewed in Search, Reports and Alerts)
9. All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com
For Indexing
In the Search menu, the results can viewed as below by default, Before and After
applying the Index Filter.
BEFORE AFTER
10. All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com
For Indexing
Additionally for indexing, the desired data can be viewed by ‘Include Log’ option
and the unwanted data is set not to be viewed by ‘Exclude Log’ option. When
‘Include/Exclude Log’ option is enabled, Event.SystemID column results can be
typed in SystemID fields.
11. All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com
For JSON Store & For RAW Store
● In For JSON Store field, there can be specified rules and filters with the same
features as in For Input and For Indexing fields.
● In For RAW Store field, the desired or unwanted data can be specified to be
collected or not by regexp rules at the first input level.
12. All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com
For Persisting
● In For Persist field, the data can be collected in the system with specific
names that defined for each sources.
13. All Rights Reserved - Logsign 2015 www.logsign.com http://support.logsign.com
Summary
Therefore, Logsign DPM can be considered as a SIEM use case.
Increased Effectiveness of
Collection, Storage and Performance of Indexing
Logsign DPM
Multiple
Regulations
Flexible & Customized
Rule Setting